ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for November, 2009

Micro IT Governance to Really Achieve Compliance Part 1

Tuesday, November 17th, 2009

This week I am sharing with you a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance.  I would greatly appreciate your ideas / feedback / constructive criticism.  Thank you in advance for sharing your ideas with me.

Executive Summary

IT Governance is difficult for most organizations, large and small, to initiate and to maintain as an ongoing process.  There are many organizations, vendors, and consultants that cater to the needs of IT governance.   Yet because of its inherent difficulties and complexities, IT Governance eludes most organizations.  The author proposes a dramatically scaled down approach to achieving and to successfully implementing bite sized pieces of critical elements of the Governance process, aptly named Micro-Governance.

Definitions of IT Governance

Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent.  Three prominent authorities say the following:

  1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
  2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.

Significance of IT Governance for Compliance

IT Governance deals with the following subjects:

However, the scope of this whitepaper is confined to IT Governance as it applies to compliance to standards and regulations imposed by statutes and by governing bodies.

Compliance violations may attracts all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.

Legal Counsel and external auditors recommend compliance with standards and regulations

  • Financial SOX, Bill 109, PCI, SAS 70
  • Electrical Infrastructure for North America NERC CIP
  • Privacy PIPEDA, Red Flag, GLB
  • Industry Best Practice Standards: COBIT, ITIL,

Insufficient Governance Impedes the Security Team

  • Slows decision making
  • Inhibits communication of risk and associated financial loss from IT Security Team
  • Inhibits attaining sufficient IT security budget

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Sources of Information – Governance Authorities

Tags: , , ,
Posted in Information Security, Internet Security, Security Postings | 2 Comments »

Calculating ROI as a % of Cost of Risk

Monday, November 9th, 2009

This is the third article in this series on the Methodology of Calculating ROI for IT security

There are three components to the ROI calculation:

1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk.  This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.

Calculating the ROI

The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100

Or

ROI = % (mitigation costs) / (the cost of potential risk)

Sample ROI business case

A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance.  The incremental projected profit from the web site is estimated at $5,000 per day.

To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network.  However, the database server will reside on the corporate network.

The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event.  She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:

  1. Lost profit.
  2. Inability of other servers on the corporate network to continue operations.
  3. Damage to corporate and brand reputation.
  4. Legal consequences.

The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:

  1. Lost profit:     $10,000
  2. Inability of other servers on the corporate network to continue operations:     $100,000
  3. Damage to corporate and brand reputation:     $800,000
  4. Legal consequences:     $200,000
  5. Total potential costs. $1,110,000

The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.

The CISO then calculates, per occurrence:

ROI = $50,000 / ($1,110,000 x 100%)

=  5%

Creating an Ongoing ROI Cost Justification Process

Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.

As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.

An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided.  These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.

It is recommended to communicate this material in simple graph format, showing:

  1. The number of incidents ranked by severity plotted against a timeline.
  2. The resulting potential losses associated with possible incidents, plotted against time.

My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditor

www.ere-security.ca

Tags: , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »

Buying Malware and other Self Destructive Behaviour

Tuesday, November 3rd, 2009


Last week I received a call from a lady requesting my assistance. Let’s call her Linda.  Linda’s dilemma was that she purchased online an anti-virus package (from an unknown vendor) which delivered two surprises:

  1. It did not work.
  2. It crashed her computer.  Linda was about to  have her computer restored to a working order.

We reviewed the details of her transaction and her situation and I provided Linda with the following recommendations:

  1. I found the actual vendor’s web site and contact information for Linda (nothing whatsoever to do with our business), and suggested Linda contact them directly and ask for an immediate refund.
  2. We discussed the merits of her not doing anything to her computer until the issue of the refund was handled to her satisfaction.  My reasoning was that a law enforcement agency may wish to do a forensic review of her computer.
  3. Further, based upon the outcome of the refund request, we discussed Linda contacting her local law enforcement and the FBI with regard to possible fraud.
  4. Next we discussed the merits of Linda immediately reporting this transaction to her credit card company and changing her credit card number.
  5. Finally we agreed that self destructive behavior such as dealing electronically with parties unknown is to be avoided.

A few days later Linda called me again, probably with a smile on her face.  Apparently she got a full refund from the vendor, and her credit card company replaced her credit card.   So for the time being, law enforcement is out of the loop, and Linda was off to restore her computer to its previous health.

You may be wondering how Linda, who is a resident of the USA, found my company, as was I.  After doing some surfing I found a link from her vendor, which was in Europe, to a site with a somewhat similar name as our company.  Only the company in question was apparently also in Europe, not Canada, and provided no contact information whatsoever.  So Linda did a partial name search and found our company in Canada.

My last couple of blogs have dealt with the dangers of inappropriate trust on the web and how users can protect themselves.  Just as you wouldn’t feel comfortable purchasing meat being sold from a strangers’ car, it seems reasonable to similarly not purchase anything from an unknown party on the web.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Tags: , , ,
Posted in Information Security, Internet Security | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button