1. Aligning IT Security Solutions with Business Justification Chaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions
2. Aligning IT Security Solutions with Business Justification Risk-base security investment (ROSI: Return on Security Investment) Global Perspective Beside security solutions, investing in human resource is essential KEY to success Your user: need awareness Your IT staff: need education Your management: need understanding
3. Risk-base Security Investment The Challenges Organization using IT has associated RISK Vendors want to sell new stuff Organization doesn’t want to be outdated Security solution is expensive Limited budget Technology moves fast forward Security prof. is too techy(no business language) Where enough is enough? Requirement base vs. Technology base
4. Sun Tzu – The Art of War “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BC Understand your business - Yourself Understand the surrounding THREATs – Your ENEMY Understand the PROTECTION requirement, limitation and readiness – Your STRATEGY
8. 1 Identify Asset Value Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Value of the asset to adversaries Value of intellectual property that went into developing the information Price others are willing to pay for the asset Cost to replace the asset if lost Operational and production activities that are affected if the asset is unavailable Liability issues if the asset is compromised Usefulness and role of the asset in the organization
9. Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss, i.e., water, power, telecommunications Theft of hardware, software, data Terrorists, both political and information Software bugs, virii, malicious code, SPAM, mail bombs Strikes, labor & union problems Hackers, internal/external Inflammatory usenet, Internet & web postings Employee illness, death Outbreak, epidemic, pandemic
10. 1 Calculating (quantifying) Risks Single Loss Expectancy (SLE) SLE = Asset Value x EF Annual Lose Expectancy ALE = SLE x ARO Single Lose Expectancy (SLE) Amount of lose occur once the threat is realized Exposure Factor (EF) A measure of the magnitude of loss or impact on the value of an asset Annualized rate of occurrence (ARO) On an annualized basis, the frequency with which a threat is expected to occur Annualized loss expectancy (ALE) Single loss expectance x annualized rate of occurrence = ALE
11. Cost/benefit Analysis forCountermeasure Valuation Cost of a loss Often hard to determine accurately Cost of prevention Long term/short term Refer as Safeguard Cost (ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the company This value is always referred to when determining Security ROI or ROSI
17. Information Technology (IT) Security Essential Body of Knowledge (EBK) A Competency and Functional Framework for IT Security Workforce Development September 2008 United States Department of Homeland Security
20. Why was the EBK established? Rapid evolution of technology Various aspects and expertise are increasingly required Standard or common guideline in recruiting, training and retaining of workforce Knowledge and skill baseline Linkage between competencies and job functions For public and private sectors
23. IT Security Roles Chief Information Officer Digital Forensics Professional Information Security Officer IT Security Compliance Officer IT Security Engineer IT Security Professional IT Systems Operations and Maintenance Professional Physical Security Professional Privacy Professional Procurement Professional
24. Competency Areas (MDIE in each) Data Security Digital Forensics Enterprise Continuity Incident Management IT Security Training and Awareness IT System Operations and Maintenance Network and Telecommunication Security Personnel Security Physical and Environmental Security Procurement Regulatory and Standards Compliance Security Risk Management Strategic Security Management System and Application Security
ISO has published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors.The Publicly Available Specification ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management, is based on best practice from five national standards from Australia, Israel, Japan, the United Kingdom and the United States.Natural disasters, acts of terror, technology-related accidents and environmental incidents have clearly demonstrated that neither public nor private sectors are immune from crises, either intentionally or unintentionally provoked. This has lead to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and potentially devastating incidents. ISO/PAS 22399 is the first deliverable from ISO technical committee ISO/TC 223, Societal security, which is charged with developing standards in the area of crisis and continuity management. http://www.continuityforum.org/news/1120/ISO22399