Teaching the Ishikawa's "fishbone" as a planning tool: responsibility and action planning matrices applied to airport security and network security.

Parayitam, Satyanarayana ; Desai, Kiran ; Desai, Mayur S. 等

INTRODUCTION

Security at major international airports (USA, UK, Germany, France, Japan, India, and Singapore etc) has embarked upon installation and testing of new security methods especially after 9/11 terrorist attacks on USA. Some of the examples of the new security methods include: new baggage-screening machines, controlling, controlling departure terminal entry and doubling federal security personnel in dozens of airports. The high-tech baggage screeners with advanced X-ray capabilities cost up to $1 million each. Additionally, the expense of airport security personnel is being increased as airport security personnel are being added to the federal employment rolls. The U.S. Congress believes airport security personnel will be better trained and supervised as a federal force. There have been many arguments over whether such increased security equipment or the presence of a federal airport security operation would have precluded or had any effect on the events of September 11. While that debate continues, it does offer the opportunity to apply a well-known Planning/Operations Management technique to assessing the problem by using a reverse-evaluation/ engineering approach.

LITERATURE REVIEW

The reverse engineering application of fishbone analysis (FA) to solve product-related problems and develop end-of-life product strategies is supported by several studies (Barr, Schmidt, Krueger & Twu, 2000; Ishii & Lee, 1996; Lee, Rhee, & Ishii, 1997; Otto & Wood, 1996; Rose & Ishii, 1999). The fishbone diagram has also been utilized to evaluate health care services; first, in a hospital setting to assess and reduce delays in the treatment of patients receiving coronary thrombolytic therapy (Bonetti, 2000) and to identify improvement strategies and training needs for physicians, nurses and other caregivers (Cohen, 2002). The cause and effect value of FA is demonstrated in studies conducted by Yu (1998) and Constantinides (1999) to identify root causes for software coding faults, and to categorize different causes of software communication failure. Finally, the effectiveness of FA used as a planning tool to improve quality processes and increase revenues is demonstrated by Lore (1998), Geerts & McCarthy (2000), Wilcox & Discenza (1994), and Clark (2000).

In the present paper we propose to provide two examples of application of fishbone diagram to (i) Airport security, and (ii) Network security.

THE APPLICATION OF FISHBONE DIAGRAM TO AIRPORT SECURITY

The application of a Fishbone (Ishikawa, 1996) diagram to the problem of "how a passenger can board a plane with a weapon" reveals six potential categories of possible causes (Figure 1).These are Method, People, Equipment, Material, Environment, and Measurement. A Responsibility Matrix (2) is then constructed to identify who has ownership of the causes and what action should be taken (Table 1).

[FIGURE 1 OMITTED]

Next, an Action Planning Matrix (Table 2) begins with the actions to be taken as identified by the Responsibility Matrix, and further identifies needed resources to support actions, and an expected time frame for results. Each category is presented and discussed in the following.

RESPONSIBILITY AND ACTION PLANNING MATRICES

Method

The Method Category of the Fishbone diagram represents the methods of enforcing security at the airport that could be the possible causes of security breaches. The four possible causes for the passenger boarding the plane with a weapon are Electronic Search Techniques, Ineffective Sampling Methods, Baggage viewing, and Physical Search.

Electronic Search Techniques

Electronic Search Techniques may be ineffective if the equipment is poorly designed or incapable of detecting all possible type of weapons. To ensure efficiency, the equipment should be maintained and calibrated at regular time intervals. This same reasoning applies to all checked baggage. This is the responsibility of the Maintenance Supervisor who has a direct control over the cause. The action to be taken is to maintain and calibrate equipment at regular time intervals. As indicated on the Action Planning Matrix, maintenance training is provided by manufacturer; however, additional human resources will need to be hired to administer the revised maintenance schedule, and this action should be accomplished within 60 days.

Ineffective Sampling Methods

Another cause of security breach is the ineffective sampling techniques. Oftentimes, security personnel subject the passengers to check at random and this may result in allowing the potentially threatening passengers unchecked. The action need to be taken is have effective sampling methods.

Baggage Viewing

Screeners should do Baggage Viewing of carry-on luggage attentively. Laxness or in-attention by the screeners will allow objects to go undetected.

Physical Searches

Performing Physical Searches when needed (as indicated by behavior, prior information, metal detector alarm etc.), on the passengers could be a potential cause because there is a chance that it is not being done properly or completely. Improper physical checking may allow a passenger to board the plane with a weapon. The correcting of Ineffective Sampling Methods, Baggage Viewing, and Physical Searches are all the responsibility of the Head of Airport Security who have a direct control over these things. The action to be taken should be to ensure effective sampling methods and adequate sample size (and possibly check every passenger by taking extra time and effort), frequently rotate baggage viewing personnel to reduce boredom and drudgery, and ensure accurate physical searches through proper training of employees in observational and search procedures and efficient execution in searching all or designated passengers.

According to the Action Planning Matrix, the resources needed to accomplish the recommended actions include software for computerized random sampling methods and scheduling for employee rotations, and additional training in observational techniques for Baggage Viewing, as well as simulation training for physical searches. Additional resources will also be required to provide competency evaluations subsequent to training. The actions necessary to prevent Ineffective Sampling Methods, and accomplish effective Baggage Viewing and Physical Searches should be accomplished within a 30-day timeframe.

People

This category includes the people having any involvement in basic airport operations or using airport services. Four groups (see Figure 1) shown on the diagram could be as the possible causes for a security failure. These are Passengers in the check-in and boarding areas, Airport Security Personnel, Airport Employees (non-security, shop and restaurant employees), and the Flight Crew (ticket agents, cabin and flight deck). They are listed on the responsibility matrix as having some control over the passenger boarding the plane with a weapon. The passenger with the weapon is considered as part of the problem and not a cause.

Passengers are a possible cause as they have the responsibility of cooperating with all of the security procedures established and implemented for their safety. They could aid in the effectiveness of security if they report strange behavior immediately. The passengers' cooperation is considered as part of the responsibility of the Airport Management and they have some of control. The action to be taken is to let the passengers know how the security procedures affect their safety, the processes and mechanisms available for providing input and what items are prohibited as carry on. This would help them to be more cooperative and attentive to what is going on in their surroundings. This task can be accomplished within two weeks, using minimal resources to create signs and make public address announcements effective.

Members of Airport Security Personnel are the most important cause because they have the responsibility of being alert to a security breach and available to immediately respond to such occurrences. They should be trained properly upon hiring to act upon any violation of airport security protocol. The Head of Security has the responsibility for this cause and has direct control. Head and Security personnel must make sure that each security guard is properly trained and well-supervised. The action that must be taken is physically monitoring security personnel by having someone walking around observing procedures. The availability of cameras to monitor real time activities also provides for immediate corrective action. This action can be accomplished within one week using resources already in place.

General Airport Employees are another possible cause as identified in the diagram. Airport employees should be looking for unusual or suspicious behavior and trained in response procedures. To eliminate the employees entering aircraft with a weapon (or any act like that) pre-employment checks must be performed. Human Resources for the airport and individual airlines have responsibility for this cause and they have direct control. The action to be taken is an upgrade of hiring procedures to assure only qualified individuals are selected. This action can be accomplished with two weeks by engaging professional

services to perform pre-employment background checks. This will require additional budgetary funding to cover the cost of these contractual services.

The Flight Crew has the responsibility of being attentive and aware of what is happening on the actual airplane during boarding and flight. This is the responsibility of Airline Management and they have direct control over the cause. The action to be taken is to properly train flight attendants and pilots in observational techniques, response procedures and encourage alertness. This action can be accomplished within 30 days by utilizing simulation-training professionals who are already employed by the airline.

Equipment

The Equipment category lists some of the basic equipment used at checkpoints to detect objects on passengers. The possible causes in this category of a passenger passing a checkpoint and boarding a plane with a weapon are as follows: X-Ray Machines, Magnetic Wands, Video Cameras, and Metal Detectors. These types of equipment could be possible causes of the problem if they are not used properly or if they are not used to their full potential. Equipment may also be out-dated and/or out of calibration, which could cause major problems in how it performs. These issues are the responsibility of the Head of Airport Security who has a direct control over the cause. The action to be taken is to provide better training for employees in equipment use and video surveillance to pay more attention to details. The equipment should also be checked in a set protocol for maintenance and calibration, and the checkpoints should be re-designed for maximum efficiency. This will require increased budgetary resources to purchase up-to-date equipment and tools, and to hire additional human resources for re-designed checkpoints. With the proper resources, this could be accomplished within 90 days.

Material

The Material category includes the items which constitute a hidden weapon (metal, ceramic, plastic etc.). This includes items On the Passenger, items in Carry-On Baggage, or items that may be brought aboard by Service Personnel.

Passengers could easily hide things in their bags that they are not allowed to carry on themselves. The Carry-On Baggage can be potential cause if it is not searched properly. Each bag should be of proper size and weight as per what is allowed. The materials named here are all the responsibility of Security and they have a direct control over the cause. The actions to be taken include a physical search of virtually all passengers using wands, metal detectors, and other search techniques. Carry on Baggage must be physically checked for banned items. Size and weight limits for carry-on baggage must be posted and strictly enforced. Physically searching every passenger will require additional human resources and re-designed security checkpoints. Size and weight limits for carry-on baggage can be communicated to passengers via signs at the airport, as well as through TV and radio airtime, and the use of printed media to inform the public. With these resources in place, we can expect the accomplishment of these recommended actions within 60 days.

Service Personnel could also transport banned items hidden within their clothing, or in their equipment. The actions of Service Personnel fall under the supervision of Airport Management, and they have a direct control over the cause. The actions to be taken include requiring security clearance and a background check for all service personnel, as well as training service personnel to observe unusual peer behavior. Just as for the afore-mentioned airline employees, Airport Management can accomplish the recommended actions by engaging professional services to perform pre-employment background checks. They should also utilize simulation training for observational techniques. This may require hiring instructors, or establishing a cooperative agreement with the Airlines to utilize their instructors. With the proper resources in place, these recommended actions should be accomplished within 30 days.

Environment

The Environment Category identifies causes related to the environment at the airport that can cause a passenger to board a plane with a weapon. This category identifies such factors as the Fast Pace of travel, Over-crowding, Time Limits to catch a flight, and the Impatience exhibited by the Passengers and others identified in the people category.

The airport being so Fast-Paced can cause the security process to be rushed. This would cause items on the passenger to not be detected. This cause is the responsibility of the Head of Airport Security and he has a direct control over the cause. The Head of Airport Security should enforce taking necessary time to do the job right regardless of complaints from waiting passengers. Over-crowding can cause a problem as it would become easier for someone to slip by without being searched completely. This is the responsibility of the Airport Management and they have a direct control over the cause. The action to be taken would be to have a sufficient number of properly trained personnel to meet the queue generated by flight schedules. This would help expedite the security check in process, reducing impatience and frustrations without sacrificing accuracy.

Time Limits are a cause because the airport is overcrowded, lines tend to be long and passengers are rushed. This leads to the fourth cause which is Passenger Impatience. Security feels pressure to release passengers without fully checking them because they are in a rush to get to their plane. All of these are the responsibility of the Airport Management and they have a direct control because they should enforce safety first. The actions to be taken include hiring adequate human resources to efficiently process passengers through security, thereby reducing passenger impatience while keeping public safety paramount. The actions necessary are to manage the Fast Pace of travel, reduce Over-crowding and Passenger Impatience, and work within Time Limits could be accomplished with additional human resources and a public education program to inform passengers that it is necessary to allow at least one hour to check in for a flight. With these resources in place, the recommended actions can be accomplished within 60 days.

Measurement

The last category is Measurement. This category deals with measures of the effectiveness of Security. This includes Percentage of Safe Flights, Prohibited Items Detected, Number of People Apprehended, Equipment Calibration, and Training/Experience of Security.

The Percentage of Safe Flights, Prohibited Items Detected, and Number of People Apprehended can measure the effectiveness of Security. These are the responsibility of Airport Security who has some control over the Percentage of Safe Flights, a direct control over the Prohibited Items Detected, and Number of People Apprehended. The action to be taken is improving the security process, and reporting and reviewing the Percentage of Safe Flights, Prohibited Items Detected and the Number of People Apprehended. Airport Security should use Continuous Improvement (Daft, 2006) methods to monitor and improve security processes, frequency of incidents, and training of security personnel. There are no additional resources required to accomplish these actions. Administrative resources are already in place, and these tasks should be accomplished within 30 days.

Equipment Calibration is a very important cause. The equipment should be tested periodically to assure it is working properly. Equipment that is not working properly could allow a passenger to get through security with an undetected weapon or to be unnecessarily detained. This cause is the responsibility of the Security and they have a direct control over the cause. They should improve the equipment by doing maintenance checks at regular intervals and acquiring more up-to-date equipment. These recommended actions will require additional human and financial resources to purchase up-to-date equipment. These actions can be accomplished within 60 days of obtaining the required resources.

The last cause, Training/Experience of Security, deals with how well security personnel have been trained. This is the responsibility of the Head of Airport Security and he has a direct control over the cause. This is a control function and the action to be taken is to monitor and evaluate training results, redesign training programs and retrain on a continuing basis. The administrative resourced needed for these actions are already in place, and results should be available within 30 days.

THE APPLICATION OF FISHBONE DIAGRAM TO NETWORK SECURITY

Computer network has become an integral part of the business and hence keeping the network running all the time is crucial to the existence of the business. We live in a world that relies increasingly on its communications infrastructure. Network availability problems affect customers and their businesses, and can damage trust in the resilience of the network. As such, ensuring that networks are robust, reliable and resistant to external attack is a key part of network design (Harman et al. 2006). Some of the examples of network technologies used by the businesses are electronic data interchange (EDI), web-based applications (Liu & Mackie, 2006), LANs, WANs etc. EDI usage is expected to increase in the immediate future and its high growth in a potentially paperless environment presents a variety of security risks, such as disclosure of messages, tampering with messages, etc. (Bannerjee & Golhar, 1995). Dow chemicals is one of the many companies which uses web-based applications. Dow uses state-of-the-art IT security system and addressed this issue by implementing a high standard Cyber security system for its e-business based on the Chemical Sector Cyber Security Program. (Chen et al, 2006). The use of Internet technologies has substantially increased the vulnerability of information systems. One of the fastest growing threats on the Internet is the theft of sensitive financial data. Failure to include basic information security unwittingly creates significant business and professional risks (Beard & Wen, 2007). One of the security issues in the use of network involves information passing over the network. Information security encompasses technology, processes, and people. Technical measures such as passwords, biometrics, and firewalls alone are not sufficient in mitigating threats to information. A combination of measures is required to secure systems and protect information against harm (Veiga & Eloff, 2007). The harm could also be caused by generating a virus. A computer virus is a software code that can multiply and propagate itself. A virus can spread into another computer via e-mail, downloading files from the Internet, or opening a contaminated file. It is almost impossible to completely protect a network computer from virus attacks; the CSI/FBI survey indicated that virus attacks were the most widespread attack for six straight years since 2000 (Lin, 2006). Information security is a responsibility of every individual working in various functional areas of an organization. In order to secure information it is important for an organization to have an integrated security approach that engages multiple functional levels in an organization from the Board and management to IT staff and individual users (Higgins, 1999).

In order to minimize the risk of network failure and to secure it from being "attacked" by any means to disrupt the business the organizations should have a formal plan of managing and securing network. Fishbone diagram technique can help understand and manage the network. It also further helps in identifying the causes of the network failure and provides an early plan. Proactive measures can help protect the network. Figure 2 (Fishbone diagram) shows the causes of possible failure of the network. Using this diagram business manager can proactively plan to prevent failure of network. Action planning matrix and responsibility matrix are presented in Tables 3 and 4 respectively.

[FIGURE 2 OMITTED]

CONCLUSION

As a teaching exercise, the creation of the Fishbone diagram is very helpful in planning for the prevention of problems. It allows the student to look at the possible problem and then brainstorm all possible causes for that problem. While the Fishbone Analysis is very useful, the addition of a Responsibility Matrix adds strength to the process by identifying the degrees of control and responsibilities parties to the problem have and recommended actions to be taken. An Action Planning Matrix then allows planning for needed resources to prevent the problem or its recurrence by identifying the resources needed as well as a time frame for expected results. The Fishbone Analysis, Responsibility Matrix and Action Planning Matrix show the interdependencies among the players and identify the processes necessary to prevent potential problems.

REFERENCES

Bannerjee, S. & Golhar, G.Y.(1995). Security issues in the EDI environment, Information Management and Computer Security, 3(2): 27-33

Barr, R.E., Schmidt, P.S., Krueger, T.J., & Twu, Chu-Yu. (2000). An Introduction to Engineering Through an Integrated Reverse Engineering and Design Graphics Project, Working paper, ME Depart., University of Texas at Austin.

Beard, D, & Joseph H. Wen, J.W. ( 2007), Reducing the Threat Levels for Accounting Information Systems, The CPA Journal. 77 (5): 34-41

Bonetti, P.O., Wackerlin A., Schuepper, G., & Frutiger, A.(2000). Improving Time-Sensitive Processes in the Intensive Care Unit: The Example of "Door-to-Needle Tim in Acute Myocardial Infarction, International Journal for Quality in Health Care, 12 ( 4):311-317.

Chen, J.C.H., Chiniwar, S., Lin, B., & Chen, P. (2006). Security in e-business and beyond: a case study reflecting current situations and future trends, International Journal of Mobile Communications, 4(1):17-33

Clark, T. J.(2000). Getting the Most From Cause and Effect Diagrams, Quality Progress, 33(6): 152.

Cohen, L.(2002).Current Issues in Agitation Management, Advanced Studies in Medicine, 2(9): 332-337.

Constantinides, P. C., & Rudnicky, A. I. (1999). Dialog Analysis in the Carnegie Mellon Communicator, Working paper, School of Computer Science, Carnegie-Mellon University.

Daft R.L., & Marcic, D. (2006). Understanding Management. Thompson South-Western, Mason, OH.

Geerts, G. L., McCarthy, W. E. (1999). The Ontological Foundation of REA Enterprise Information Systems", Working paper, Department of Accounting, University of Delaware

Harman, B., Burness, L., Corliano, G., & Murgu, A. (2006). Securing network availability. BT Technology Journal. 24(2): 65-71.

Higgins, H. N. (1999). Corporate system security: towards an integrated management approach, Information Management and Computer Security, 7(5): 217-222.

Ishii, K., & Lee, B.(1996). Reverse Fishbone Diagram: A Tool in Aid of Design for Product Retirement, Proceedings, ASME Design Technical Conference, Paper # 96-DETC/DFM-1272.

Ishikawa K. (1976).Guide to Quality Control, Asian productivity Organization, Nordica International Ltd. Hong Kong.

Lee, B. Rhee, S., & Ishii, K. (1997) Robust Design for Recyclability Using De-Manufacturing Complexity Metrics, Proceedings of ASME Design Engineering Technical & Computers in Engineering Conference, 1-8.

Lin, P. P. (2006). System Security Threats and Controls, The CPA Journal. 76(7): 58-65.

Liu, C., & Mackie., B.G. (2006). Teaching Security Techniques in an E-Commerce Course, Journal of Information Systems Education. 17(1): 5-10

Lore, J. (1998). A New Slant on Fishbones. Quality Progress, 31(9): 128

Otto, K. N., & Wood, K. L. (1996). A Reverse Engineering and Re-Design Methodology for Product Evolution, Proceedings of ASME Design Theory and Methodology Conference, 1-10.

Rose, C., & Ishii, K. (1999). Product End-of-Life Strategy Categorization Design Tool, Journal of Electronics Manufacturing, 9(1): 41-51.

Russell, R., & Taylor, B. (2006) Operations Management, Quality and Competitiveness in a Global Environment, Wiley.

Stevenson, W.J. (2005). Operations Management. McGraw-Hill, Burr Ridge Parkway, IL.

Veiga, A D., & Eloff, J.H.P. (2007) An Information Security Governance Framework, Information Systems Management. 24 (4): 361-372

Wilcox, K., & Discenza, R.(1994). Auditing: The TQM Advantage, CA Magazine, 37-41.

Yu, W. (1998). A Software Fault Prevention Approach in Coding and Root Cause Analysis, Bell Labs Technical Journal, 3-31.

Satyanarayana Parayitam, University of Massachusetts Dartmouth

Kiran Desai, McNeese State University

Mayur S. Desai, Texas Southern University

Mary K Eason, McNeese State University Table 1. Responsibility Matrix Airport Security CAUSE DESCRIPTION RESPONSIBILITY METHOD Electronic Search Is technology up-to- Maintenance Techniques date/working properly Supervisor Ineffective Is it random/adequate Head of Security Sampling Methods sample size? Baggage Bags being viewed Head of Security Viewing attentively Physical Search Performed properly and Head of Security completely PEOPLE Passengers Cooperative/Notice Airport Management Strange Behavior Airport Security Properly trained/Alert, Head of Airport Personnel well-supervised Security Airport Employees Looking for unusual or Human Resources suspicious activity Flight Crew Be attentive and aware Airline Management during boarding and flight EQUIPMENT X-ray machines Used properly to fullest Head of Security potential, up-to-date maintenance Magnetic Wands Used properly to fullest Head of Security potential, up-to-date maintenance Video Cameras Used properly to fullest Head of Security potential, up-to-date maintenance Metal detectors Used properly/ Head of Security calibrated MATERIAL Items on Passenger Passengers can easily Head of Security hide prohibited items if not properly searched In Carry-on Proper size/checked Head of Security Baggage thoroughly On Service Banned items could be Airport Management Personnel hidden in clothing or equipment ENVIRONMENT Fast-Pace Security Process rushed Head of Airport Security Over-Crowding Too many passengers at Airport Management the same time Time Limits Pressure to release Airport Management passenger Passenger Passengers get angry Airport Management Impatience /unruly MEASUREMENT % of safe flights # of flights without Airport Security incident Prohibited Items Number of objects Airport Security Detected detected # People Number of passengers Airport Security Apprehended apprehended for prohibited items Equipment Is equipment calibrated Airport Security Calibration as recommended by the manufacturer Training/ Proper and effective Head of Airport Experience training methodology Security of Security CAUSE DEGREE ACTION TO BE TAKEN OF CONTROL METHOD Electronic Search Direct Maintain and calibrate equipment at Techniques regular time intervals Ineffective Direct Efficiently search all or designated Sampling Methods passengers Baggage Direct Proper training of employees, Viewing frequent rotation of employees Physical Search Direct Proper training of employees in search techniques PEOPLE Passengers Some Encourage cooperation by Informing passengers it is for their safety, explain processes for reporting strange behavior Airport Security Direct Monitor security personnel by camera Personnel and supervisory observation Airport Employees Direct Upgrade hiring practices, Hiring highly qualified employees Flight Crew Direct Properly train flight crew in observational techniques and response procedures EQUIPMENT X-ray machines Direct Proper training in use of equipment for employees, emphasis on detail, equipment properly maintained and calibrated, re-design checkpoints for maximum efficiency Magnetic Wands Direct Proper training in use of equipment for employees, emphasis on detail, equipment properly maintained and calibrated, re-design checkpoints for maximum efficiency Video Cameras Direct Proper training in video surveillance for employees, emphasis on detail, equipment properly maintained and calibrated, re-design checkpoints for maximum efficiency Metal detectors Direct Proper training in use of equipment for employees, emphasis on detail, equipment properly maintained and calibrated, re-design checkpoints for maximum efficiency MATERIAL Items on Passenger Direct Physical search of passengers using wands, metal detectors, and other search In Carry-on Direct Look for banned items, Post size and Baggage weight limits and strictly enforce On Service Direct Require security clearance and Personnel background check for all service personnel; train service personnel to observe unusual peer behavior ENVIRONMENT Fast-Pace Direct Take time to do job correctly Over-Crowding Direct Hire additional human resources Time Limits Direct Public safety paramount Passenger Some Keep passenger pacified Impatience MEASUREMENT % of safe flights Some Use Continuous Quality Improvement methods to monitor security processes and training of security personnel Prohibited Items Direct Use Continuous Quality Improvement Detected methods to monitor security processes and training of security personnel # People Direct Inform public regarding prohibited Apprehended objects and acceptable airport behavior. Enforce strict sanctions for violators. Equipment Direct Improve/add maintenance checks. Calibration Acquire more up-to-date equipment. Training/ Direct Evaluate training results. Take Experience corrective action when necessary. of Security Monitor performance of security personnel. Table 2: Action Planning Matrix Airport Security ACTION TO BE TAKEN WHO WHEN METHOD Maintain and calibrate equipment Maintenance 60 days at regular time intervals Supervisor Efficiently search all or Head of security 30 days designated passengers Proper training of employees, Head of security 30 days frequent rotation of employees Proper training of employees Head of security 30 days in search techniques PEOPLE Encourage cooperation by Informing Airport Management 2 weeks passengers it is for their safety, explain processes for reporting strange behavior Monitor security personnel by Head of security 1 week camera and supervisory observation Upgrade hiring practices, Hiring Human Resources 2 weeks highly qualified employees Properly train flight crew in Airline Management 30 days observational techniques and response procedures EQUIPMENT Proper training in equipment use Head of security 90 days and video surveillance for employees, emphasis on detail, equipment properly maintained and calibrated, re-design checkpoints for maximum efficiency MATERIALS Physical search of passengers Head of Security 60 days using wands, metal detectors, and other search Look for banned items; Post size Head of Security 60 days and weight limits and strictly enforce Require security clearance and Airport Management 60 days background check for all service personnel; train service personnel to observe unusual peer behavior Inform public of restrictions on Airport management 60 days carry-on items ENVIRONMENT Hire more personnel to control Airport management 60 days over-crowdedness Enforce complete security searches Head of security 60 days regardless of rush Keep public safety paramount Airport Management 60 days MEASUREMENT Make report of safe flights, Head of Security 30 days prohibited items detected, and # of apprehended passengers. Use CQI methods to monitor incidents and improve procedures. Improve/ add maintenance checks. Head of Security 60 days Acquire more up-to-date equipment. Evaluate training results. Take Head of Security 30 days corrective action when necessary. Monitor performance of security personnel. ACTION TO BE TAKEN RESOURCES METHOD Maintain and calibrate equipment Training provided by manufacturer; at regular time intervals additional human resources to facilitate maintenance schedule Efficiently search all or Computerized random sampling designated passengers methods, training in observational techniques Proper training of employees, Competency evaluation, frequent rotation of employees Computerized scheduling for rotations Proper training of employees Simulation training instructors in search techniques PEOPLE Encourage cooperation by Informing Signs, Public Address passengers it is for their safety, Announcements explain processes for reporting strange behavior Monitor security personnel by Resources already in place camera and supervisory observation Upgrade hiring practices, Hiring Budget resources needed to engage highly qualified employees professional services to perform pre-employment background checks Properly train flight crew in Utilize simulation training observational techniques and professionals currently on staff response procedures EQUIPMENT Proper training in equipment use Increase budget to purchase and video surveillance for additional equipment and tools, employees, emphasis on detail, and to hire additional human equipment properly maintained and resources. calibrated, re-design checkpoints for maximum efficiency MATERIALS Physical search of passengers Increased human resources; using wands, metal detectors, re-design check points for and other search efficiency Look for banned items; Post size Signs, TV and Radio airtime, and weight limits and strictly print media to inform public enforce Require security clearance and Engage professional services to background check for all service perform background check. Utilize personnel; train service personnel simulation training for to observe unusual peer behavior observational techniques. Hire instructors or utilize airline instructors. Inform public of restrictions on TV & radio airtime, print media carry-on items ENVIRONMENT Hire more personnel to control Human resources over-crowdedness Enforce complete security searches Training/ supervision, educate regardless of rush passenger to come early, say at least 1 hour before flight departure time. Keep public safety paramount Resources necessary to utilize media to manage expectations of passengers and educate them regarding security procedures MEASUREMENT Make report of safe flights, Administrative resources already prohibited items detected, and # in place of apprehended passengers. Use CQI methods to monitor incidents and improve procedures. Improve/ add maintenance checks. Additional human and financial Acquire more up-to-date equipment. resources Evaluate training results. Take Administrative resources already corrective action when necessary. in place Monitor performance of security personnel. Table 3: Responsibility Matrix Network Security CAUSE DESCRIPTION RESPONSIBILITY DEGREE OF CONTROL METHOD Firewalls Gateway to information IT Security Some resources Supervisor Isolation of Physical Separation IT Security Direct Critical of the components on Supervisor Components networks on Network PEOPLE Internal Cooperative/Notice Supervisor/ Some End Users Strange Behavior Management External Cooperative/Notice Supervisor/ Some End Users Strange Behavior Management IT Properly trained/ Head of IT Direct Professionals Ethical Security EQUIPMENT Monitoring Monitor Network IT Network Staff Direct Equipment Activity Test Equipment Regularly test network IT Network Staff Direct hardware & software Maintenance Used properly to IT Network Staff Direct Equipment fullest potential, up-to-date maintenance MATERIAL Hardware Computer hardware and IT Network Direct peripherals on the Manager network Software Application, System, IT Network Direct and Network software Manager ENVIRONMENT Centralized Computing is IT Network Direct controlled centrally Manager Decentralized Computing is IT Network Direct controlled at Manager several places Distributed Processing is IT Network Direct distributed Manager across the network MEASUREMENT # of Intrusions # of unauthorized IT Security Some access to network Manager Performance & Measure the network IT Administrator Direct Tuning (Hardware) hardware performance Performance & Measure the network IT Administrator Direct Tuning (Software) software performance CAUSE ACTION TO BE TAKEN METHOD Firewalls Identify resources which need to be protected Isolation of Identify the components on Critical networks that need to be Components separated on Network PEOPLE Internal Encourage end users to follow End Users company policy regarding using computing resources on network External Encourage external end users to End Users follow company policy regarding using computing resources on network IT Provide training regarding Professionals information protection, Hire qualified IT professionals, check their background EQUIPMENT Monitoring Monitoring plan--list what to Equipment monitor and how often Test Equipment Develop routing test plan Maintenance Develop and follow Network Equipment Maintenance Plan MATERIAL Hardware Make sure all the computing hardware on the network are properly working and are secured Software Make sure all the software installation is functional and secured ENVIRONMENT Centralized All the software and storage is controlled centrally Decentralized Coordinate activities at different nodes in decentralized environment Distributed Data processing and management is distributed making it secured is more critical MEASUREMENT # of Intrusions Track unauthorized access to network Performance & Monitor and measure the access Tuning (Hardware) rates, data processing efficiency and make continuous adjustments Performance & Monitor and measure the access Tuning (Software) rates, data processing efficiency and make continuous adjustments Table 4: Action Planning Matrix Network Security ACTION TO BE TAKEN WHO WHEN METHOD Setup the proper firewalls to DBA-In my As needed secure the sensitive information opnion should from intruders be network administrator Identify the network that needs Network As needed to be isolated from the internet Administrator or other networks--and make sure that it is physically separate from rest of the network PEOPLE Educate internal end users about Management 6 months to importance of securing resources 1 year connected to the network Educate external end users about Management 6 months to importance of securing resources 1 year connected to the network IT Professionals should be IT Manager Periodically regularly trained in what as needed resources are critical and needs to be secured on the network EQUIPMENT Monitoring equipment need to IT Manager 30 days or be regularly tested for its as needed functionality and additional monitoring equipment need should be assessed Test equipment need to be IT Manager 30 days or regularly tested for its as needed functionality and additional test equipment need should be assessed Maintenance equipment need to IT Manager 30 days or be regularly tested for its as needed functionality and additional maintenance equipment need should be assessed MATERIALS Keep track of all hardware and IT Manager 6 months make sure they are well secured and in warranty Keep track of all application DBA--IT Daily and system software and make Manager in my sure they are working as per opinion specifications ENVIRONMENT Centralized environment DBA-My Daily generally has a mainframe or Opinion should a large computer that has all be Centralized software and other components environment on the network are simple Administrator terminals Identify various servers Data Weekly (database, application etc.) Administrator and sort out the information (DA) distribution to specify different levels of control and accessibility. The servers are not connected via networks but each server has several clients (independent networks of client/server) In distributed environment the Data Weekly control is critical since all Administrator the servers are connected via (DA) network and determining who has what level of access is important MEASUREMENT Keep a log of the access to DA Daily servers by individuals so that any illegal access could be identified Continuously measure the DA Daily performance of the servers and clients--amount of data processed, number accesses, reason for accesses etc. Continuously measure the DA Daily performance of the Applications on servers and clients--amount of data processed, number accesses, reason for accesses etc. ACTION TO BE TAKEN RESOURCES METHOD Setup the proper firewalls to DBAs should be trained to secure the sensitive information identify proper places where from intruders firewalls are needed Identify the network that needs Provide training and proficiency to be isolated from the internet to network administrators or other networks--and make sure that it is physically separate from rest of the network PEOPLE Educate internal end users about Track internal end users and importance of securing resources provide training and sense of connected to the network awareness Educate external end users about Track external end users and importance of securing resources provide training and sense of connected to the network awareness IT Professionals should be Well-defined training programs regularly trained in what for IT Professionals resources are critical and needs to be secured on the network EQUIPMENT Monitoring equipment need to Increase budget to purchase be regularly tested for its additional equipment and tools, functionality and additional and to hire additional human monitoring equipment need resources. should be assessed Test equipment need to be Increase budget to purchase regularly tested for its additional equipment and tools, functionality and additional and to hire additional human test equipment need should be resources. assessed Maintenance equipment need to Increase budget to purchase be regularly tested for its additional equipment and tools, functionality and additional and to hire additional human maintenance equipment need resources. should be assessed MATERIALS Keep track of all hardware and Backup hardware and staff to make sure they are well secured manage hardware and in warranty Keep track of all application Backup software in case of failure and system software and make and skill staff to bring up the sure they are working as per system specifications ENVIRONMENT Centralized environment Should have a trained software generally has a mainframe or personnel who understands the a large computer that has all centralized control software and other components on the network are simple terminals Identify various servers DA should be trained to (database, application etc.) understand the information and sort out the information distribution on different servers distribution to specify different levels of control and accessibility. The servers are not connected via networks but each server has several clients (independent networks of client/server) In distributed environment the DA should be trained in control is critical since all understanding the network the servers are connected via architecture and information network and determining who has distribution on various servers what level of access is important MEASUREMENT Keep a log of the access to Provide enough support to DA so servers by individuals so that that the log is maintained any illegal access could be regularly identified Continuously measure the Provide enough support to DA performance of the servers and since performance of the network clients--amount of data computing is important to running processed, number accesses, business reason for accesses etc. Continuously measure the Provide enough support to DA performance of the Applications since performance of the network on servers and clients--amount computing is important to running of data processed, number business accesses, reason for accesses etc.