Beruflich Dokumente
Kultur Dokumente
usin g S ix S ig ma
PatchPhoenix
Management
ISSA Chapter
July 11, 2006
Process using the Six
Sigma Methodology
Phoenix ISSA Chapter meeting – July
11, 2006
Conclusion
Questions?
2
CompanyA, CompanyB and CSC
CompanyA Inc. spun off One Sector business into a
completely separate publicly traded company.
CompanyB has
• 22,000 Employees worldwide in 30 countries
CompanyA outsourced infrastructure Business to CSC in
2003 in a 10 year agreement. CompanyB signed a similar
agreement
Variety of players, new roles, significant change of people
and roles
3
Timeline
March 2004 13 Jan, 2005
CompanyB name announced Network Separation
20 Jan, 2005
Project ends
15 May, 2004
6 Sigma Project Initiation
13 July 2004
Over the past ten years, Six Sigma has delivered a variety of benefits to companies, e.g.,
• reducing costs
• increasing revenue
• improving process speed
• raising quality levels
• deepening customer relationships
In addition, Six Sigma has been used across a variety of industries and business models, from
manufacturing to services.
Six Sigma has provided billions of dollars of top-line growth and bottom-line earnings improvement.
5
Real life
However……
6
Sigma and it’s practical use in the
real world
CompanyA pioneered sigma use in 1986 to improve product quality by driving variance out of the
manufacturing processes
Units: 1,000 circuit boards Units: 9.9 million airline flights in 2004
Opportunities: 58 Opportunities: 1
(1 board + 13 resistors + 4 capacitors + 2 diodes + 38 solder points)
place graphic place graphic
Defects: 25 crashes resulted in fatalities
Defects: in this area
18 boards in this area
Sigma: 6.52
Sigma: 4.92
7
Digital Six Sigma Process Roadmaps
DMADDD
Slide 8
TM CompanyB™ and the CompanyB logo are trademarks of CompanyB Semiconductor, Inc. All other
product or service names are the property of their respective owners. © CompanyB Semiconductor, Inc.
2005.
D M A I C
Patch Management Process
D M A I C
Wh at is Ho w a re Wh at is Wh at ne ed s Ho w d o we
im por ta nt we wro ng ? to be Guar an te e
? doin g? do ne? pe rf orm an ce?
9
D M A I C
Phase/Activity Target Date Comp Date
Define
Schematic (Yyx Alignment)
Team Charter
SIPOC
“AS-IS” Process Map
Voice Of Business/Voice of Customer to CTQ’s
Cause-n-Effect Diagram
Quick Wins Identified
Measure
Data Collection Plan
Operational Definition
Source of Variation Study
Sigma Analysis
Process Capability
10
D M A I C
Phase/Activity Target Date Comp Date
Analyze
Pareto Analysis & Stratification
Regression Analysis
Root Cause Analysis
Improve
Cost Benefit Plan
Alternative Solutions Identified
“SHOULD BE” Process Map
Change Plan
Pilot Plan and Results
Control
Digitization Plan
Standardization/Adoption Plan
Lessons Learned and Feedback
11
“Define” phase Schematic (Yyx alignment)
D M A I C
What i s the Big Goal? Reduce Threat to CompanyA Business through Patch Management
(The Bi g Y )
IT Resources (bandwidth,
vacation backups)
Project Governance:
Targets Sponsors: CISO VP GIS VP
Total cycle time from Patch Availability to Implementation: 7 days Champions: CSC VP CSC Ops Manager
Impact : 0
Compliance: 100% Project Steering Committee: CSC Security Ops Director, CompA
Security Ops Director
Process Owners: TBD after SIPOC
5 4 3 1 2
SUPPLIERS: INPUTS: PROCESS OUTPUTS: CUSTOMERS:
MCERT Team Create
Dep loyment Plan / SMS / System
(CSC, CompA, MS) MCERT Discussion Techni cal Co mmun icati on
deployment plan Admins
Create / Certify Certified Package SMS / System
Microsoft .cab file Admins
package
MCERT Team Deployment Plan/ Create / Send Communication
Test All CompanyA / CSC /
Certified Package Email Contractors
Define Parameters of a heathly SMS client YES YES YES YES YES YES YES
Publish the policy for Infrastructure compliance YES YES YES NO YES YES NO
Weekly compliance reporting status Note: we can do YES YES YES YES YES YES YES
this easily from the central server web reporting.
Weekly Healthy Client Compliance. Note: we can YES YES YES YES YES YES YES
generate the reports today, Is this just reporting?
Define a standard communications policy YES YES YES NO YES YES YES
Standard user FAQ area YES YES YES YES YES YES YES
Publish policy for patching - cycle time NO NO YES NO YES YES NO
Make available all bundles in one place YES YES YES YES YES YES YES
List of workstations to be spoonfeed into sms - this
will not include remediation of any issue YES YES YES YES YES YES YES
Pilot announcement to include specific directions on
how to open tickets - specific subject like MS04-028
pilot issue YES YES YES YES YES YES YES
16
Hard to get priorities to do quick wins – but most got done
D M A I C
“Measure” phase - Data collection plan
Other Data
That Should
Be Collected
Data Source and Who Will Collect When Will Data Be How Will Data Be at the Same Historical available
Performance Measure Operational Definition Location the Data? Collected? Collected? Time Comments Due date Yes/No
Describe Defect Continuous
Impact This won't reflect people
Number of users with who have installed on
SMS clients who have their own and are not in
Number of formal pilot installed at the middle Via SMS query at SMS
users who have installed SMS deployment and the end of the pilot middle and end of Dee needs to check if we
Number of pilot users patch during pilot period SMS team period pilot can do this historically 8-Oct N
Number of unique issues reportedThis includes both the
during deployment number of distinct issues
reported about the patch view of Monet tickets
during the deployment opened during Consistent Monet profile -
period and the number of deployment period Try to see if we can get
total issues reported about daily for first week of that were reported history on this and provide
the patch during the deployment; after that against the patch number of issues
deployment period. Monet weekly deployment published via FAQ 8-Oct N
Cycle-time
Pilot cycle-time Time measured in days sms. SMS team end of pilot via SMS.CompA.com 30-Sep Y
from pilot start date to pilot database for Nov
end date ( F - E) 2003 to current if
available
Patch deployment cycle-time Time measured in days VirusUpdate MIPS End of deployment in daily/weekly scan 30-Sep Y
from package deployment (scanning data), period process for Nov 2003
to start to when it passed. Update expert to current if available
A approx 1,000 ( for all records, SMS central
systems) are vulnerable - server
approx 98%
Compliance
Unhealthy SMS clients - SMS Total number of machines SMS for machines SMS Team snapshot from last Total number of Don't think we can collect8-Oct ????
cannot patch these systems. that don't have healthy that have SMS week and this week reachable SMS historically
SMS clients (has SMS butinstalled and do not reports managed machines
not returned inventory have a healthy client that have not
within X days) reported inventory in
X days ( X = 7, 14,
21, 30 not reporting
in inventory).
Total Windows machines on Total Windows machines Foundscan, CSC = Foundscan,snapshot Superset of: - Machine name and if Oct 8 for list fo fields next week to start
CompA network that should be on CompA network that CompCheck, Browse CompCheck Foundscan, BDNA, necessary domain or Oct 15 have data completion by Oct 8,
SMS managed should be SMS managed -lIst, BDNA CompCheck and workgroup - minus Oct 20 have data ready review Oct 1
includes CompA CompA IT = Browse browse list. Will duplicates and servers for review
owned/leased not lIst determine what ideal we are not going to do
personaly owned / short set of fields to collect. historically as the data
term contractor machines CompA IT = BDNA doesn't change that much;
should start on this next
week
Fair amount of work, but useful as it defines what data if available 17
Real life - Measure
What we selected and originally started to
measure was based from Vulnerability
scanning
Accurate, but this wasn’t available for every
vulnerability; also point in time versus
continuous
Ended up using SMS, not as good coverage,
but could be used consistently
Had to do ‘measure’ twice
18
D M A I C
“Analyze” phase
Pareto and root cause
This shows the
best areas to focus 50%
Pareto Diagram
1.2000
on are: 45%
1.0000
40%
• Unmanaged 35%
0.8000
systems Rel. Freq.
30%
25% 0.6000
clients 15%
0.4000
10%
0.2000
• Scheduling 5%
exception 0% 0.0000
s
ed
e
SP
on
g
n
ay
re
s
ay
ht
s
r)*
s
ur
in
nt
io
tu
ac
re
ag
si
rig
i lu
el
S/
el
ro
os
nd
pt
ie
ta
lu
is
sp
/d
fa
an
O
cl
ce
er
cl
in
s
ai
m
pe
s
ns
sk
ng
m
m
d
y
om
ex
es
n
or
Failure Mode
th
rte
q
w
io
t
ad
i
io
oo
S
nd
rti
re
oc
no
al
ch
c
at
pt
M
po
s/
po
de
e-
eb
he
ve
pr
ic
nk
ce
at
S
on
up
Pr
re
pl
d/
R
d(
un
p
S
U
ot
ex
si
ap
le
ns
Effect Analysis
SM
ile
y
't
/
N
is
en
an
or
ab
g
fa
rm
g
l in
nt
C
ok
in
is
h
ve
Pe
du
D
nd
tc
Br
In
he
Pa
S
SM
Sc
areas
Measuring this challenged some long held assumptions 19
D M A I C
1. Standard change control 16. Standard disconnection policy 21. CSC Patchmanager
window for servers 22. Standard procedures for Field Services
17. Server ownership process 23. Replace machines for which automated
2. Standard change window housekeeping
for labs/factories 18. Network team to provide 24. Automate housekeeping of machines with
network list low disk space
3. Login script to
communicate patch 19. Report on both pkg. success
status and applicable
High reports for pending
20. Standard
4. Group policy to enforce
SMS client reboot
16
5. Move all machines into AD
domain
1
6. Ongoing SMS client health
monitoring
Benefit 2
7. SMS auto-discovery tools 9
for machines in AD 21
domains 11 3
20 4
8. Predictable Reboot delay 22 6
19 8 12 5
9. Allow SMS pull during 24
14 10 13 7 17
communications time
Low 18 15 23
10. Add SMS installer to
image Low Effort High
11. Increase hardware for
Foundstone scanning
20
12. Foundstone Enterprise
“Improve” phase
Long Term recommendations D M A I C
1. Network Admission Control 13. Notification via e-mail on
patch success
2. Patch Management Tool vs.
SMS
3. Group policy to prevent
login when not patched
4. Group policy to enforce
standards High 1
Compliance Projection
5
4
Sigma
3
2
1
0 Ms03-043 Ms04-007 Ms04-011 Ms04-022 Ms04-022* ms04-028* Ms04-032* Ms04-040* Short term Long term - Long term -only
changes w ithout netw ork
netw ork admission
admission control
control
Deployment
Sigma compliance by the number of systems not patched 7 days after
deployment.
6 sigma is achievable if network admission control keeps non-compliant
systems off the network.
CompanyA estimated a cost of poor quality reduction by $800K22 per year.
D M A I C
“Improve” phase
Cycle time projections
Projection of cycle time Estimated cycle time changes
reductions by
implementing changes:
• Short term 66
• Long term - without 47
60
network admission 14
• Long term – just
network admission 0 10 20 30 40 50 60 70
Cycle time in days
Next steps:
• Quantifiable benefits Present
• ROI calculations Short term changes
• Expected results Long term changes without network admission
Long term changes - just network admission control
90% J anuary(HTML)
February(SMB)
80%
February(Multiple)
70%
J une (SMB)
% Patched
60% J uly(Multiple)
August (PnP)
50%
October (MSDTC)
40% November (Graphics)
20%
10%
0%
Days
1
90%3 can 5be achieved
7 9
within
11
7 days
13
during
15
accelerated
17 19
scheduling
21 23
workdays only
24
Measured results
Improved High & Critical patch
– CompanyB only
deployments
• High risk patch achieves 90%
• 24 days in 2005 -> 12 days in 2006 90% = 2.78 sigma
• Critical risk patch achieves 90%
• 12 days in 2005 -> 7 days in 2006
70% Critical
60% January
50% (WMF)
40% January
(TNEF)
30%
20%
10%
0% Days
1 3 5 7 9 11 13 15 workdays only
25
Measured results – CompanyB only
CompanyB Microsoft Patch Compliance - 2005 / 06
(approx. 17,500 SMS managed workstations)
100 100.0%
98.2% 98.4%
97.9% 98.0% 98.5%
97.3% 97.5% 1
80 1
95.4% 2 2
Average # of patches
95.0%
2
per workstation
60 3 2 % Compliance
9
90.0%
11
83 87
40 81 82
72 73
64
85.8% 59
49 85.0%
20 42
Missing
80.9% Installed
0 80.0%
March May June July August September October November December January Compliance
Vendor release,
Medium / Low
Reboot delay options High Critical
• Process is standardized
with vendor for Pass Patch deployed as
problems Report if Daily patch
resolution. Pilot Test advertised updates
Fail problems reports
for 2 days.
Pass
if missing Deployment
changed to
mandatory after 2
IT Management
informed where
compliance is
days. low.
Critical risk patching follows an
accelerated process Compliance
reports changed to
Schedule
27
Conclusion
Start with client needs – “voice of the customer”
Get management support by following the Digital Six Sigma methodology (or another company
backed program)
• Define, Measure, Analyze, Improve, Control
• http://www.isixsigma.com
• http://sixsigmatutorial.com
Follow consistent processes
• Reduce variability is key
Use tools that provide fast and accurate data (correct tools for the job)
28
Real Life Conclusions
29
Questions?
30