Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
 
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[File:NISTRiskManApproach.png|right|450px|thumb|'''Figure 4.''' A diagram of an organization-wide risk management approach, as published in NIST SP 800-37 Rev. 2. NIST says this diagram "addresses security and privacy risk at the organization level, the mission/business process level, and the information system level. Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization."<ref name="NISTSP800-37v2_18" />]]After discussing cloud standards, regulations, and security, it makes sense to next address the topic of [[cloud computing]] [[risk management]]. Risks beget risk management, which in turn begets security. Whether the risks are near the home, on an airplane, or with an online bank account, risk management practices limit the risks, usually through some "security." "The five-year crime numbers in my neighborhood are going up," one might assess. "I shall manage the risk with a home security system," is the risk management action performed. In the same way, engineers add multiple layers of redundancy to an airplane's components to mitigate the assessed risk of instrument failure, and banks require access controls like strong passwords on online accounts to protect customer data and limit their liability. As such, it shouldn't be surprising to talk about employing security and process control measures as part of managing risks in the cloud.
{{Saved book
|title=Introduction to Quality and Quality Management Systems
|subtitle=
|cover-image=Time-Quality-Money.png
|cover-color=#fffccc
| setting-papersize = A4
| setting-showtoc = 1
| setting-columns = 1
}}


We learned in the last chapter that the National Institute of Standards and Technology (NIST) represents a strong example of a standards and recommendations body in the U.S. In their 2018 SP 800-37 Rev. 2 ''Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy'', NIST says the following about risk management for information systems<ref name="NISTSP800-37v2_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final |title=SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy |author=National Institute of Standards and Technology |date=December 2018 |accessdate=21 August 2021}}</ref>:
==''Introduction to Quality and Quality Management Systems''==
{{ombox
| type      = content
| style    = width: 500px;
| text      = This book should not be considered complete until this message box has been removed. This is a work in progress.
}}
The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems.


<blockquote>Managing information system-related security and privacy risk is a complex undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning, executing, and managing projects, to individuals developing, implementing, operating, and maintaining the systems supporting the organization’s missions and business functions. Risk management is a holistic activity that affects every aspect of the organization, including the mission and business planning activities, the enterprise architecture, the SDLC processes, and the systems engineering activities that are integral to those system life cycle processes.</blockquote>
;1. What is quality?
:''Key terms''
:[[Quality (business)|Quality]]
:[[Quality assurance]]
:[[Quality control]]
:''The rest''
:[[Data quality]]
:[[Information quality]]
:[[Nonconformity (quality)|Nonconformity]]
:[[Service quality]]
;2. Processes and improvement
:[[Business process]]
:[[Process capability]]
:[[Risk management]]
:[[Workflow]]
;3. Mechanisms for quality
:[[Acceptance testing]]
:[[Conformance testing]]
:[[Clinical quality management system]]
:[[Continual improvement process]]
:[[Corrective and preventive action]]
:[[Good manufacturing practice]]
:[[Malcolm Baldrige National Quality Improvement Act of 1987]]
:[[Quality management]]
:[[Quality management system]]
:[[Total quality management]]
;4. Quality standards
:[[ISO 9000]]
:[[ISO 13485]]
:[[ISO 14000|ISO 14001]]
:[[ISO 15189]]
:[[ISO/IEC 17025]]
:[[ISO/TS 16949]]
;5. Quality in software
:[[Software quality]]
:[[Software quality assurance]]
:[[Software quality management]]


As Figure 4—from the same NIST guide—notes, there are three main levels at which an organization must approach risk management activities for their information systems: the organization level, the mission/business process level, and the information system level. The arrow on the left highlights the criticality of proper communication across all three levels in order for the organization to make the most of their risk management activities. Just as IT forms the base of any software-driven business efforts, critical stakeholders in IT form the base of communication about IT risk and security requirements. Without those stakeholders' knowledge and feedback, business processes and company policy would be ill-informed. Now let's start from the top of the pyramid and head downward. Note that without strong leadership, well-crafted business goals, and management buy-in on quality, budget, and security, business processes would be a mess and IT-related efforts would be sub-par and at-risk.
<!--Place all category tags here-->
 
The implication with Figure 4 and NIST's guide is that effective planning and communication is critical to ensuring information systems are implemented securely during their entire life cycle. Many organizations approach this task by developing, implementing, and enforcing a [[cybersecurity]] plan, in which identifying cybersecurity requirements and objectives—i.e., [[risk assessment]] and management—is a vital component. (See the ''[[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|Comprehensive Guide to Developing and Implementing a Cybersecurity Plan]]'' for much more on this topic.)
 
==References==
{{Reflist}}

Latest revision as of 19:46, 9 February 2022

Introduction to Quality and Quality Management Systems
Time-Quality-Money.png
This user book is a user-generated collection of LIMSWiki articles that can be easily saved, rendered electronically, and ordered as a printed book.
If you are the creator of this book and need help, see Help:Books.

Edit this book: Book Creator · Wikitext
Select format to download:

PDF (A4) · PDF (Letter)

Order a printed copy from these publishers: PediaPress
Start ] [ FAQ ] [ Basic help ] [ Advanced help ] [ Feedback ] [ Recent Changes ]


Introduction to Quality and Quality Management Systems

The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems.

1. What is quality?
Key terms
Quality
Quality assurance
Quality control
The rest
Data quality
Information quality
Nonconformity
Service quality
2. Processes and improvement
Business process
Process capability
Risk management
Workflow
3. Mechanisms for quality
Acceptance testing
Conformance testing
Clinical quality management system
Continual improvement process
Corrective and preventive action
Good manufacturing practice
Malcolm Baldrige National Quality Improvement Act of 1987
Quality management
Quality management system
Total quality management
4. Quality standards
ISO 9000
ISO 13485
ISO 14001
ISO 15189
ISO/IEC 17025
ISO/TS 16949
5. Quality in software
Software quality
Software quality assurance
Software quality management