Archive for the ‘Internet Security’ Category
Monday, March 1st, 2010
In an article today entitled Researchers Warn Of SmartPhone Security Threats, conveniently located in the RSS feed on our web site www.ere-security.ca (no self serving here), the researchers in question discuss rootkit vulnerabilities to smart phone operating systems.
From the article, it appears that some people may / would be surprised by rootkits turning up in smart devices. Why would anybody be surprised?
Please don’t get me started about rootkits. For those of you not too familiar with these insidious creations by devious minds, rootkits are nasty programs that are designed to:
Do whatever the author intends, including but not limited to, providing admin privileges to the author, stealing information, damaging the host system, and migrating to other neighboring devices on a network. They are proficient at hiding themselves by using very sophisticated techniques involving system registries, and in turn may hide other malware from anti-virus technology. A very clear summary of the hows / whys / wheres of rootkits may be found at: http://en.wikipedia.org/wiki/Rootkit
I’d like to hear from those of you who:
- Found rootkits on your own or your clients’ devices.
- Were asked by the clients to not bother identifying the vector used by the rootkit to insert itself.
- How you found them; by forensic audit processes for instance?
- Found any software that is supposed to be resident on workstations or servers and identifies rootkits.
- Any rootkit software I’ve tested finds .dll files which appear as unidentified.
- I know there are lots of claims about tools that find / remove rootkits. My question is: has anyone found / built one that conclusively works, without creating too many false positives?
We all know the usual ways to guard against malware. The questions are:
- Why would anybody be surprised when rootkits invade the domain of intelligent portable devices?
- Why do some users of said devices treat security with complete abandon, like the “wild west”?
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Root Kits, Smartphones
Posted in Internet Security | 1 Comment »
Wednesday, January 6th, 2010
Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 29th, 2009
Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.
Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.
* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.
To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.
Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | 3 Comments »
Tuesday, December 22nd, 2009
This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance. Your feed back would be most appreciated.
Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events. A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls. The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial - SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America - NERC CIP
* Privacy – PIPEDA, Red Flag, GLB
* Industry Best Practices - COBIT, ITIL
Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Tuesday, December 15th, 2009
My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”
The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009
This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.
The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise. These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.
A central revelation is that AV vendors have a difficult time keeping up with new malware. There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware. He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.
These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors. However the author’s suggestions are not revelations of secrets.
Viega goes on to compare the workings of AV with firewalls and with IDS. While these analogies are clever, they are hardly central to the book’s premise of revelation.
I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point. Unsubstantiated opinion, and in my opinion, overly negative.
Which brings me to the next point about the author’s many references of praise about MacAfee. After 20, I lost count of references to MacAfee, liberally spread throughout the book. This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.
It seems the author has liberally substituted hyperbole for fact. For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit. Hardly a surprise. The Chapter “VPNs Usually Decrease Security” states the obvious: a compromised VPN’d client workstation indeed is a threat to a host network.
Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect. No further comment is necessary here.
It is not clear to me to whom the book is intended. It can not be for security practitioners with certifications such as CISSP or CISM. In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)
End users who are not technology savvy might find the book verbose. The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.
Time reading this book would be better spent elsewhere.
PS I feel guilty writing such a negative article, especially since it is far easier to criticize than to create. So please take my comments with a grain of salt.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Computer Security, Information Security, IT Security, Security Industry, The Myths of Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 8th, 2009
Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Barriers to implementing IT Governance
- All encompassing scope
- Complex PPM Project Portfolio Management
- Expensive
- Time consuming
- Risk is very difficult to quantify
- False sense of security confuses cost justifying security budgets
- Turf wars over accepting / relegating ownership of responsibilities
- Maintaining longevity of the process
Micro – Governance a practical alternative
- Minimize liability of executives / board
- Facilitates communications between Governance and the Security Team regarding cost justification of budget
- Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
- Minimizes decision time and frustration levels by identifying bite sized issues
- Quantify the few most threatening risks
- Create a virtual team with responsibility to mitigate and report
- Measure the results
- Authorize / fund the virtual team
Call to Action
- CEO and CIO discuss a few top priority IT security risks that require immediate decisions / funding
- Formally create a micro-Governance process to address each risk.
- Engage a third party advisor to expedite the process.
- Create a small virtual team to manage each risk management process.
- Assign other management and employees as appropriate to the virtual team.
- Identify a timeline to complete the project.
- Identify a mechanism to test the degree of success of the mitigation
- Identify a timeline to report the degree of success back to the IT Governance Committee.
Assess Financial Cost of Risk and Residual Risk
- document the technical risks
- Translate them into business risks
- Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
- Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
- Compare the cost of risk vs. residual risk to the cost of mitigation
Create Longevity to the Micro- Governance Process(es)
- Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
- Otherwise dissolve the virtual team(s)
Sources of Information – Governance Authorities
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, November 17th, 2009
This week I am sharing with you a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. I would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Executive Summary
IT Governance is difficult for most organizations, large and small, to initiate and to maintain as an ongoing process. There are many organizations, vendors, and consultants that cater to the needs of IT governance. Yet because of its inherent difficulties and complexities, IT Governance eludes most organizations. The author proposes a dramatically scaled down approach to achieving and to successfully implementing bite sized pieces of critical elements of the Governance process, aptly named Micro-Governance.
Definitions of IT Governance
Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Three prominent authorities say the following:
- ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
- ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
Significance of IT Governance for Compliance
IT Governance deals with the following subjects:
However, the scope of this whitepaper is confined to IT Governance as it applies to compliance to standards and regulations imposed by statutes and by governing bodies.
Compliance violations may attracts all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Legal Counsel and external auditors recommend compliance with standards and regulations
- Financial SOX, Bill 109, PCI, SAS 70
- Electrical Infrastructure for North America NERC CIP
- Privacy PIPEDA, Red Flag, GLB
- Industry Best Practice Standards: COBIT, ITIL,
Insufficient Governance Impedes the Security Team
- Slows decision making
- Inhibits communication of risk and associated financial loss from IT Security Team
- Inhibits attaining sufficient IT security budget
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Sources of Information – Governance Authorities
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 2 Comments »
Monday, November 9th, 2009
This is the third article in this series on the Methodology of Calculating ROI for IT security
There are three components to the ROI calculation:
1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk. This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.
Calculating the ROI
The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100
Or
ROI = % (mitigation costs) / (the cost of potential risk)
Sample ROI business case
A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance. The incremental projected profit from the web site is estimated at $5,000 per day.
To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network. However, the database server will reside on the corporate network.
The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event. She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:
- Lost profit.
- Inability of other servers on the corporate network to continue operations.
- Damage to corporate and brand reputation.
- Legal consequences.
The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:
- Lost profit: $10,000
- Inability of other servers on the corporate network to continue operations: $100,000
- Damage to corporate and brand reputation: $800,000
- Legal consequences: $200,000
- Total potential costs. $1,110,000
The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.
The CISO then calculates, per occurrence:
ROI = $50,000 / ($1,110,000 x 100%)
= 5%
Creating an Ongoing ROI Cost Justification Process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.
As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.
An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided. These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.
It is recommended to communicate this material in simple graph format, showing:
- The number of incidents ranked by severity plotted against a timeline.
- The resulting potential losses associated with possible incidents, plotted against time.
My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: IT Security, Return on Investment, ROI, Security Risks
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, November 3rd, 2009
Last week I received a call from a lady requesting my assistance. Let’s call her Linda. Linda’s dilemma was that she purchased online an anti-virus package (from an unknown vendor) which delivered two surprises:
- It did not work.
- It crashed her computer. Linda was about to have her computer restored to a working order.
We reviewed the details of her transaction and her situation and I provided Linda with the following recommendations:
- I found the actual vendor’s web site and contact information for Linda (nothing whatsoever to do with our business), and suggested Linda contact them directly and ask for an immediate refund.
- We discussed the merits of her not doing anything to her computer until the issue of the refund was handled to her satisfaction. My reasoning was that a law enforcement agency may wish to do a forensic review of her computer.
- Further, based upon the outcome of the refund request, we discussed Linda contacting her local law enforcement and the FBI with regard to possible fraud.
- Next we discussed the merits of Linda immediately reporting this transaction to her credit card company and changing her credit card number.
- Finally we agreed that self destructive behavior such as dealing electronically with parties unknown is to be avoided.
A few days later Linda called me again, probably with a smile on her face. Apparently she got a full refund from the vendor, and her credit card company replaced her credit card. So for the time being, law enforcement is out of the loop, and Linda was off to restore her computer to its previous health.
You may be wondering how Linda, who is a resident of the USA, found my company, as was I. After doing some surfing I found a link from her vendor, which was in Europe, to a site with a somewhat similar name as our company. Only the company in question was apparently also in Europe, not Canada, and provided no contact information whatsoever. So Linda did a partial name search and found our company in Canada.
My last couple of blogs have dealt with the dangers of inappropriate trust on the web and how users can protect themselves. Just as you wouldn’t feel comfortable purchasing meat being sold from a strangers’ car, it seems reasonable to similarly not purchase anything from an unknown party on the web.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Anti-Virus, Internet Security, IT Security, Malware
Posted in Information Security, Internet Security | No Comments »
Tuesday, October 27th, 2009
Executive Summary
The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the Boards of Directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.
In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of Directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.
The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.
This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.
The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.
As such this calculation of ROI is actually a calculation of the % of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers. [1]
Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.
This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.
[1] Typical annual insurance rates for commodities are about 1.5% – 2.5% of asset replacement cost. The author has observed (over many business cases) that annual security budgets can similarly be about 2% – 4% of potential security breach related costs.
My next blog will focus on the Methodology of Calculating ROI.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors. www.ere-security.ca
Tags: Information Security, Information Security ROI, It Security Spending, Risk Security, Security Risk
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
|
|
