Posts Tagged ‘IT Security’
Wednesday, April 14th, 2010
The Toronto Star ran an informative article last week about spying on the Internet, particularly using easily accessible tools like Google, blogs and social networking sites. The article delves into cyber-spy rings like Shadows and GhostNets and mentions the upcoming global cyber security summit to be hosted by the University of Toronto this fall. You can see the article on the ERE RSS news feed at www.ere-security.ca .
The article is compelling but the message should not be news to any computer user today. I’m not sure why anybody would be surprised that private information is stolen on the Internet after vast amounts of publicity on Identity Theft and about cyber-fraud.
So the important question is: Are you vulnerable to cyber –spying or to identity theft?
With regard to cyber-spying, the obvious question is: do you have any sensitive defense or political information worth stealing? If the answer is “no” then we can all assume you are not being targeted by a spy-ring.
With regard to identity theft and cyber-fraud, some important questions about your computer are:
Do you update your anti-virus and anti-malware software daily?
Do you patch your operating system as soon as important security patches are available?
Do you patch your web browser with security patches as soon as they are available?
Do you avoid updating software tools such as Adobe Acrobat until the updates have been proven to not introduce security vulnerabilities?
Do you run a sweep of your computer work station with an anti-virus and anti-malware tool once a week?
Do you run a web site safety evaluation tool?
If the answer is “no” to any of the above, you probably have security weaknesses. If you answer “no” to more than one question, you definitely want to consider improving your security procedures.
What about the answers to these questions about your cyber-behavior:
Do you open emails from sources you do not recognize?
Do you open attachments from friendly sources, without screening the attachment for malware prior to opening?
Do you visit unfamiliar web sites without first validating their safety?
Do you post on blogs or social networking sites any personal information including photographs?
Do you provide your home phone number to strangers?
Do you identify the names of your family members to strangers?
If you answer “yes” to any of these questions, you are probably jeopardizing the security and privacy of information on your workstation. If you answer “yes” to any of the last three questions, you may be putting your family members or yourself in harm’s way.
What about your cyber-housekeeping habits, such as:
Do you regularly change the password to your workstation?
Do you have a strong password for your workstation?
Do you encrypt personal information and passwords?
Do you leave unencrypted personal or sensitive information on external media?
Do you dispose of used disks and computer technology without destroying the media and memory hardware?
Do you dispose of scanner and photocopier technology without destroying the media and memory hardware?
Answering “yes” to any of the above, as you’ve already figured out, is not good for your cyber-health.
So the big question is: Do you want to greatly improve your personal cyber-security? If yes, by now you probably have a few new specific action items to execute.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Cyber Security, GhostNets, Identity Theft, Information Security, IT Security, Malware, Shadows, Toronto Star, Vulnerability
Posted in Information Security | No Comments »
Wednesday, April 7th, 2010
During the Easter weekend you may have seen scams in the form of spam about the newly released iPad.
The Better Business Bureau released a bulletin warning the public to be wary of bogus offers, such as:
- Claims you can become a tester or researcher and get an iPad for free.
- Requesting product testers for the iPad. The email points to a website Testitandkeepit.com which claims they are looking for people to test the iPad for a couple months, as compensation you get to keep the iPad. The biggest red flag with this offer is you have to provide your email address and password in order to “tell your friends.”
- Researchers Wanted-Get an iPad Early and Keep it” was designed to trick people into signing up for a cell phone subscription service that cost $10 a month.
The sad part about this scenario is that Internet users still need to be warned about email fraud. By Internet users I refer to both the unsophisticated and the well educated who should know better. If you don’t know better, for more information about the BBB bulletin, please see the related article on the ERE RSS news feed at www.ere-security.ca.
Isn’t it ironic that potential purchasers of leading edge technology like the iPad would also be susceptible to low brow high tech fraud?
We all know better than to open spam and to be very prudent when opening emails from unknown sources. This, of course, is email security policy 101. Everyone should know better than to divulge any passwords. While we are on the subject relating to the iPad scam, everyone should remember to:
- Never use the same password for your computer logon, email, social networking ATM.
- Change your passwords at least once per year. I know this is painful.
- Never “loan” your password to anyone. Ever.
- Always check the digital certificate on an e-commerce transaction site. You can do this by looking at the RSS certificate and then researching the certificate provider.
- Think before going to a web site offering something for free. Perhaps get a tool that attempts to triage sites by risk. This sound hypocritical, but I found an excellent “free” tool at Mcafee at http://www.siteadvisor.com/
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Information Security, iPad, IT Security, Scams, Spam
Posted in Information Security | 2 Comments »
Wednesday, March 31st, 2010
“High- tech copy machines a gold mine for data thieves” was as story printed on March 18, 2010 in the Toronto Star, which should give pause to every one of us. That is, everybody who uses a smart photocopier or who provides access to one for others.
You may think this is overreaction, but is it?
By smart photocopier, I mean one with a computer inside that provides all the great features. The computer also has a disk, which indiscriminately retains images of sensitive and personal images like tax returns (social insurance numbers), job applications, and legal documents.
It also unwittingly retains images of critical information like executive summaries about corporate plans, new business strategies, and unpublished quarterly financial reports.
So everybody using a smart photocopier really needs to give some thought as to the consequences of their confidential material falling into the hands of those who would benefit from its unauthorized use for personal gain. How could this happen? you think. Well, lots of ways.
Someone such as a photocopier service person could simply copy the disk data. Or someone with unauthorized access to the machine at night. If the copier has a data access port, anyone familiar with the data communications capabilities of the data port could walk by with their smart phone and download the data.
Twenty years ago I remember watching a news documentary describing a similar but lower tech use of photocopiers to steal sensitive and critical information. Apparently during the cold war spies would insert a camera into a photocopier destined for the opposition’s embassy. Then the “copier tech” would surreptitiously remove the film from the hidden camera in the photocopier and, of course, replace it with more unused film.
So, without becoming paranoid about photocopiers, how can you get them to do you bidding with confidence that your sensitive and critical information will not fall into the hands of others?
Some simple things you can do are:
1. Always do your own photocopying whenever possible.
2. If you must use a copy service, then keep your eyes on your original documents and all copies of them, just as diligently as you would keep eye contact with your credit /debit card during a purchasing transaction.
3. Don’t use smart photocopiers unless you are sure of the security policy by which they are managed.
As the custodian of a smart photocopier, ensure your telecommunications and security people have configured it to:
a. Configure it to communicate only as mandated by your corporate security policy.
b. Implement an ongoing process to regularly scrub (rather than just “deleted”).
c. Implement an ongoing process to monitor the event logs of the copier and alert on suspicious activity such as unauthorized attempts to connect it to a telecommunications network, unauthorized attempts to communicate with its data port in order to upload data, and unauthorized attempts to open or tamper with the machine.
Prior to sending the copier off premises for service or for disposal, ensure the disk is either removed and destroyed or that data is scrubbed and destroyed completely. Otherwise, you could end up with the same consequences as confidential data on a used and resold computer work station or laptop being retrieved by its new owner.
Of course we all know that there are dumb users even for smart photocopiers. How many times have we all found original documents left by some previous users of the copy machine? So it’s probably a good practice to count your original documents before and after using a photocopier.
Have a secure week.
Ron Lepofsky, B.A.SC. (Mech Eng), CISSP
President
ERE Information Security Auditors
www.ere-security.ca
www.ere-security.com
Tags: Information Security, IT Security, Photocopiers, Smart Photocopier
Posted in Information Security, Security Postings | 2 Comments »
Tuesday, March 23rd, 2010
Great article this week by Brian Krebson about the risks and liabilities of on line banking for businesses, on Brian’s blog: http://www.krebsonsecurity.com/2010/03/ebanking-victim-take-a-number/
But no need to just believe Brian; there are lots of news articles every month about security and privacy breaches of information handlers and service providers for banks and credit card companies as well as for actual banks and credit card companies.
My opinion on the subject of IT security and privacy with regard to on-line banking is: Caveat Emptor: Buyer Beware! There are several sources of security threats with corresponding vulnerabilities beyond the control of most consumers of on-line services. So I strongly advise on-line users to compare the potential cost of impact of a security breach against the time savings of on-line banking.
If the potential losses are large, say $25,000 for a small business, compared to 2 hours per week of time saved at $75 / hour which equates to $7,800 annually, then it may be advisable to take another step in evaluating the risks involved.
Let’s say the user is not technically strong with regards to IT security and therefore needs to make some qualitative, anecdotal assumptions about the risk of on-line banking. The user may consider the following risk factors:
- Banks make errors.
- Users make errors in all sorts of ways, such as; not keeping their anti-virus signatures updated, not keeping their security patches and operating system patches / updates completed in a timely manner; not visiting web sites that may inject malware into their systems; opening email attachments; opening email from unknown individuals; etc. etc.
- Banks may not fully refund funds caused by a security breach during an online transaction.
- Banks may refund funds but not in a timely fashion.
- Do you want to do battle with a bank?
Based upon these and other risks, a user can decide if their risk is high, medium, or low. They could then go a step further and allocate values of 70% – 100% to high risk; 40% – 69% to medium risk; 0% – 68% for low risk.
As a sanity check, they can estimate the impact of one loss as % chance of loss x possible cost of loss. So a user who estimates they face medium risk of 50% and have in their on-line account a maximum of $50,000 at any time, the cost of security breach could be 50% X $50,000 or $25,000.
Perhaps compared with $7,800 in annual savings, it may be a good idea to consider other options, such as:
- Doing only online bank enquiries, ensuring there are no change privileges attached to the account.
- Asking to see the bank’s written policy about how they deal with clients who suffer losses due to a security breach.
- Purchase insurance for losses caused by an online banking error or security breach.
- Dramatically improving the security procedures they follow for protecting the computer(s) and the network on which they reside, for doing e-banking.
What do you think?
Regards, Ron Lepofsky, CISSP
www.ere-security.ca
Tags: Banks, E-Banking, Information Security, IT Security, Privacy Breach, Risks
Posted in Security Postings | 1 Comment »
Thursday, March 18th, 2010
This week’s blog is Part 5 of 5 parts of a series.
You may not have heard of the IT security team called ROSI; it stands for return on security investment. It’s really the same as ROI but it helps to convey to executives that a business case is being build according to best security practices.
Determining if ROSI Objectives are Met
Tires meet the road when it is time to determine whether or not ROSI objectives for security / policy / compliance have been met. Conveying this determination is essential to building (or destroying) credibility of the group who made the mitigation recommendations in the first place.
Determining ROSI is quite simple. The actual costs resulting from events are compared with the projected costs after mitigation. If mitigation was successful, then the actual costs should be near or below the projected costs. This information can be presented as an updated version of Exhibit 3, shown as
Exhibit 5 – Projected vs. Actual Cost of Losses. For purposes of accuracy new trends that developed in the security environment over the period of study should be considered. If new trends increased the cost of losses, and the effect can be quantified, then the results should be reported accordingly.
Exhibit 5 – Projected vs. Actual Cost of Losses This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Summary
The task of getting approval for a sufficient budget for IT security, privacy compliance, and IT regulatory compliance is usually frustrating and arduous. The task can be made easier by presenting the IT Security Governance body with simple to understand graphics, rather than with complex business plans. The graphs should depict the relationship between the cost of risk and the cost of mitigation. The presentation process should occur both at budget request time to show the intended plan, and after the budget cycle to show the actual results. Hopefully the results trump the plan.
Sources of Information
(1) ANZ 4360:2004 Risk Management Standard http://www.ncsi.com.au/as4360.html
(2) Calculations of ALE are based upon The Official CISSP CBK, 2009, published by ISC2 www.isc2.org
(3) NIST- 88 series http://csrc.nist.gov/publications/PubsSPs.html
(4) ISACA: CISM Review Manual 2010 www.isaca.org
(5) PCI Security Standards – PCI https://www.pcisecuritystandards.org/index.shtml
(6) NERC – CIP 02 – 09 www.nerc.com
(7) ROSI Calculating Security Return on Investment, Don O’Neil Software Engineering Institute, 2007, CERT
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BSI.html
(8) Gartner whitepaper:“Incorporating Security into the Enterprise Architecture Process, Jan 2006 www.gartner.com
(9) EISA: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture
(10) The U.S. Department of Defense (DoD) Architecture Framework (DoDAF) http://www.architectureframework.com/dodaf/
(11) Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. http://www.enterprise-architecture.info/
(12) Federal Enterprise Architecture of the United States Government (FEA) http://www.whitehouse.gov/omb/e-gov/fea/
(13) Capgemini’s Integrated Architecture Framework
http://www.capgemini.com/services-and-solutions/technology/soa/overview/ent_architecture/iaf/
(14) NIH Enterprise Architecture Framework http://enterprisearchitecture.nih.gov/About/Approach/Framework.htm
(15) Open Security Architecture ]http://www.opensecurityarchitecture.org/cms/index.php
(16) The Open Group Architecture Framework (TOGAF) http://www.opengroup.org/architecture/togaf8-doc/arch/
(17) Zachman Framework http://www.zifa.com/
(18) Control points from the COBIT framework. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | No Comments »
Monday, March 1st, 2010
In an article today entitled Researchers Warn Of SmartPhone Security Threats, conveniently located in the RSS feed on our web site www.ere-security.ca (no self serving here), the researchers in question discuss rootkit vulnerabilities to smart phone operating systems.
From the article, it appears that some people may / would be surprised by rootkits turning up in smart devices. Why would anybody be surprised?
Please don’t get me started about rootkits. For those of you not too familiar with these insidious creations by devious minds, rootkits are nasty programs that are designed to:
Do whatever the author intends, including but not limited to, providing admin privileges to the author, stealing information, damaging the host system, and migrating to other neighboring devices on a network. They are proficient at hiding themselves by using very sophisticated techniques involving system registries, and in turn may hide other malware from anti-virus technology. A very clear summary of the hows / whys / wheres of rootkits may be found at: http://en.wikipedia.org/wiki/Rootkit
I’d like to hear from those of you who:
- Found rootkits on your own or your clients’ devices.
- Were asked by the clients to not bother identifying the vector used by the rootkit to insert itself.
- How you found them; by forensic audit processes for instance?
- Found any software that is supposed to be resident on workstations or servers and identifies rootkits.
- Any rootkit software I’ve tested finds .dll files which appear as unidentified.
- I know there are lots of claims about tools that find / remove rootkits. My question is: has anyone found / built one that conclusively works, without creating too many false positives?
We all know the usual ways to guard against malware. The questions are:
- Why would anybody be surprised when rootkits invade the domain of intelligent portable devices?
- Why do some users of said devices treat security with complete abandon, like the “wild west”?
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Root Kits, Smartphones
Posted in Internet Security | No Comments »
Wednesday, February 24th, 2010
This week’s blog is Part 4 of 5 parts of a series.
If you are in security no doubt you have been challenged by management about your security expenditures. I have often heard executives say that they regret authorizing sufficiently large security budgets because they can’t tell if the expenses were worthwhile. It’s a good point. I’ll try to address it in this blog.
Measuring the Effectiveness of Mitigation
It is paramount to close the risk management loop by comparing planned and actual results of mitigation.
Goal is to clearly identify if risk level has changed and what consistent metrics will be used to base a conclusion. Once again, this may be difficult to accomplish directly, but there certainly are metrics for measuring and comparing the results of implementing mitigation. The metrics should always:
- Produce repeatable, consistent results.
- Be understandable.
- Be reasonably simple to use over time.
The following is a good starting list of metrics that can be used for consistently measuring and reporting on risk:
- Architectures for measuring risk – Enterprise Information Security Architecture (EISA) (8), (9)
- a. The U.S. Department of Defense (DoD) Architecture Framework (DoDAF). (10)
- Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. (11)
- Federal Enterprise Architecture of the United States Government (FEA). (12)
- Capgemini’s Integrated Architecture Framework. (13)
- NIH Enterprise Architecture Framework. (14)
- Open Security Architecture. (15)
- The Open Group Architecture Framework (TOGAF). (16)
- Zachman Framework. (17)
- Control points from the COBIT framework. (18)
- Vulnerability assessments.
- Penetration tests.
- Time trends in frequency of occurrence and the real costs of security events, privacy violations, and policy compliance violations.
- Time trends in cost to recover from events.
- Time trends in frequency of policy compliance violations that do not necessarily cause any financial losses, such as identifying Trojans, viruses, rootkits, unauthorized logins, attempted port scans, frequency of dropped packets, frequency of password lifecycle, breaches, and frequency of rescheduled / cancelled IT Security Governance meetings with business managers.
This part of the series may be a little dry. In fact it is very dry. But if you ever want to have a process done “by the book” many of my references will come in handy. If you can take another “dry” blog, the next blog will cover the same subject but from a return on investment perspective. I hope it will be helpful!
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | No Comments »
Wednesday, February 17th, 2010
This week’s blog is Part 3 of 5 parts of a series.
I think that too often security people try to “fix” every security problem. That is not realistic or required. Many times, it is sufficient to just identify security risks and problems to management and get them to make a decision on how they want to deal with it.
But the operative phrase is “decision on how they want to deal with it.”
Calculating the Cost of Mitigation
Security professionals are well acquainted with determining the costs of mitigation. Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.
The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance. It is well documented in standards published by industry experts such as NIST- 88 series (3), ISACA CoBIT (4), PCI Security Standards – PCI (5), and NERC – CIP 02 – 09 (6).
It is well advised to consider mitigation steps that include:
1. Re-engineering processes, both technological and people processes.
2. Policy – people and technology
3. Technical security.
4. Physical security.
5. People processes.
6. Training and awareness.
7. Third party auditing to verify the effectiveness of all the above.
From an IT Security Governance perspective the optimal cost point for mitigation is where the total costs of risk and mitigation are lowest. This point can be graphically determined as in Exhibit 3 – Optimal Cost Point for Mitigation.
Exhibit 3 – Optimal Cost Point for Mitigation (3) This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Once mitigation costs are determined, it is important to express to the IT Security Governance committee that mitigation only goes so far, and that some residual risk remains even after spending on mitigation. The residual risk can be expressed as the cost of risk that remains after mitigation is implemented. As shown in Exhibit 4 – Mitigation Cost vs. Chance of Event Occurrence, expenditures on mitigation reduce the cost of exposure to risk.
Exhibit 4 – Mitigation Cost vs. % Chance of Event Occurrence This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
The IT Security Governance Committee may decide to deal with residual risk by:
1. Accepting the risk.
2. Moving the risk (insurance).
3. Further mitigation.
Calculating Return on Security Investment (ROSI) (7)
Once the total cost of security mitigation is determined by including any costs for managing residual risk, then it is straightforward to calculate the return on security investment, as follows:
ROSI = cost of mitigation / cost of risk
When calculating ROSI it is important to allocate mitigation costs on a pro-rated basis across all costs of risk to which they apply. In this way ROSI can be more accurately calculated and evaluated by each profit and loss manager and associated stakeholder.
The next blog will deal with figuring out if the cost of mitigation were worth it!
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | 3 Comments »
Thursday, February 11th, 2010
This week’s blog is Part 2 of 5 parts of a series.
I know it is time consuming to do the analysis for building a business case. I’ve seen the frustration on the faces of security types who present business cases for their budget and management gives them a rough time.
Hopefully these articles will be helpful.
The next logical step would be to associate an actual cost to each event. Various methods can be used either separately or together with the implementation of an averaging metric to estimate the cost per occurrence of an event. These methods may include:
1. Soliciting expert advice from financial management, lawyers, and risk management consultants.
2. Conducting a straw poll of stakeholders, each estimating the downside cost of an event.
3. Participating in a fact gathering survey of similar businesses, each of which provides factual and straw poll estimates of the cost of an event.
4. Purchasing statistical information from industry experts regarding the cost of an event.
5. Obtaining statistical information from industry associations about the cost of an event experienced by their membership.
Using a similar methodology, the next step is to determine the likelihood of an event occurring. The most useful ways of expressing likelihood is in % chance of an event occurring in any one year.
However, any likelihood estimate should also be adjusted to account for changes in security environment. There are typically evolving waves of new threats that may affect likelihood of occurrence, such as these previous waves:
1. Viruses
2. Malware of all sorts
3. DDOS
4. Identity Theft
The likelihood estimate can then be used to:
1. Qualitatively express cost vs. likelihood as in Exhibit 1 – Potential Cost vs. % Probability of Occurrence.
2. Calculate the quantitative Annual Loss Expectancy.
Exhibit 1 – Potential Cost vs. Probability of Occurrence (1)
This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Obviously want to prioritize the mitigation steps to dealing with high risk / high cost situations first.
Annual Loss Expectancy (ALE) (2)
The step from qualitative to quantitative risk analysis logically occurs at this point, where the team evaluating risk triages the results of Exhibit 1 in order to decide upon those risks where they intend to focus.
The potential cost of those risks can be determined by calculating their Annual Loss Expectancy. The annual loss expectancy is the annualized estimated cost for the occurrence of any type of event. This number is useful for comparison with the annual cost of mitigation. ALE for an event is calculated by multiplying the previously determined of the cost of the event and the chance of its occurrence.
Annual loss expectancy = cost of event x chance of occurrence
Next week I will discuss the ins and outs of calculating the cost of minimizing risk and how to present this to the executives.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | 1 Comment »
Thursday, February 4th, 2010
This week’s blog is Part 1 of 5 parts of a series.
Over the years many IT security professionals have told me about their challenges of getting the appropriately sized security budget approved. In my opinion many senior executives believe that if they have not endured a serious security breach, then there simply are not any security risks. That is my motivation for writing this series.
Executive Summary
IT security and security compliance are expensive to successfully achieve. Now pile on privacy compliance and an array of regulatory compliance obligations and the costs skyrocket.
The key to getting the IT Security Governance committee to fund the appropriate compliance budget is to speak their language.
In order to do that, risks need to be expressed in terms of costs for executives. Specifically costs need to be identified as: Potential cost of losses, mitigation costs, the total costs (potential cost of losses + mitigation costs) and residual costs.
In order to be clear and meaningful for the intended audience, the material should be presented graphically, presenting changes in both cost and risk over time.
This trending analysis is most useful for supporting the ability of the IT Security Governance committee to make well informed decisions on how to most effectively invest in security, thereby deriving optimal payback for stakeholders.
Identifying Risk and its Business Impact
The costs of risk associated with IT security / privacy and non compliance of regulatory / standards and the resulting negative impact on business can be broadly identified as follows:
1. Loss of revenue or production due to unavailability of production resource.
2. Time and effort to recover from a security related loss of production.
3. Legal.
4. Damage to brand.
5. Regulatory compliance violations.
6. Privacy compliance violations.
7. Damage to client and vendor relationships.
8. Loss of intellectual, competitive or proprietary information.
9. Un-captured profits resulting from inability to demonstrate to clients / vendors / partners a strong security process.
The cost of risk is the resulting impact on business that may be incurred should a risk become a reality or an event. Determining the cost of a potential event is difficult at best. However, it can be accomplished by employing one or more quantitative and qualitative methods, and should be undertaken by those most qualified to do so.
Those most qualified are unit profit and loss managers, stakeholders, and executives with insight into quantitatively how an event would affect their work domain.
The cost of various types of events can be viewed as categories of low, medium, and high cost. This qualitative analysis is not useful in itself, but it may assist management on how to prioritize the order in which they will perform a more in depth risk analysis.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Cost of Security Compliance, Information Security, IT Security, Risk of Security Compliance
Posted in Information Security | 1 Comment »
|
|
