Risk-base Security Investment, ROSI

1. Aligning IT Security Solutions with Business Justification Chaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions

2. Aligning IT Security Solutions with Business Justification Risk-base security investment (ROSI: Return on Security Investment) Global Perspective Beside security solutions, investing in human resource is essential KEY to success Your user: need awareness Your IT staff: need education Your management: need understanding

3. Risk-base Security Investment The Challenges Organization using IT has associated RISK Vendors want to sell new stuff Organization doesn’t want to be outdated Security solution is expensive Limited budget Technology moves fast forward Security prof. is too techy(no business language) Where enough is enough? Requirement base vs. Technology base

4. Sun Tzu – The Art of War “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BC Understand your business - Yourself Understand the surrounding THREATs – Your ENEMY Understand the PROTECTION requirement, limitation and readiness – Your STRATEGY

5. Risk-base = Requirement-base Risk Assessment Quantify – money figure Risk-base Security Investment

6. Recent Standards/Guidelines By A. Chaiyakorn Apiwathanokul

7. Identifying assets Tangibles Computers, communications equipment, wiring Data Software Audit records, books, documents Intangibles Privacy Employee safety & health Passwords Image & reputation Availability Employee morale

8. 1 Identify Asset Value Cost to acquire or develop the asset Cost to maintain and protect the asset Value of the asset to owners and users Value of the asset to adversaries Value of intellectual property that went into developing the information Price others are willing to pay for the asset Cost to replace the asset if lost Operational and production activities that are affected if the asset is unavailable Liability issues if the asset is compromised Usefulness and role of the asset in the organization

9. Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss, i.e., water, power, telecommunications Theft of hardware, software, data Terrorists, both political and information Software bugs, virii, malicious code, SPAM, mail bombs Strikes, labor & union problems Hackers, internal/external Inflammatory usenet, Internet & web postings Employee illness, death Outbreak, epidemic, pandemic

10. 1 Calculating (quantifying) Risks Single Loss Expectancy (SLE) SLE = Asset Value x EF Annual Lose Expectancy ALE = SLE x ARO Single Lose Expectancy (SLE) Amount of lose occur once the threat is realized Exposure Factor (EF) A measure of the magnitude of loss or impact on the value of an asset Annualized rate of occurrence (ARO) On an annualized basis, the frequency with which a threat is expected to occur Annualized loss expectancy (ALE) Single loss expectance x annualized rate of occurrence = ALE

11. Cost/benefit Analysis forCountermeasure Valuation Cost of a loss Often hard to determine accurately Cost of prevention Long term/short term Refer as Safeguard Cost (ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the company This value is always referred to when determining Security ROI or ROSI

12. Global Perspective

13. From Global Workforce Study by (ISC)2

17. Information Technology (IT) Security Essential Body of Knowledge (EBK) A Competency and Functional Framework for IT Security Workforce Development September 2008 United States Department of Homeland Security

18. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramDecember 19, 2005

19. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramMay 15, 2008

20. Why was the EBK established? Rapid evolution of technology Various aspects and expertise are increasingly required Standard or common guideline in recruiting, training and retaining of workforce Knowledge and skill baseline Linkage between competencies and job functions For public and private sectors

21. Key Divisions 4 functional perspectives 14 competency areas 10 roles

22. Functional Perspectives Manage Design Implement Evaluate

23. IT Security Roles Chief Information Officer Digital Forensics Professional Information Security Officer IT Security Compliance Officer IT Security Engineer IT Security Professional IT Systems Operations and Maintenance Professional Physical Security Professional Privacy Professional Procurement Professional

24. Competency Areas (MDIE in each) Data Security Digital Forensics Enterprise Continuity Incident Management IT Security Training and Awareness IT System Operations and Maintenance Network and Telecommunication Security Personnel Security Physical and Environmental Security Procurement Regulatory and Standards Compliance Security Risk Management Strategic Security Management System and Application Security

26. TISA EBK Analysis Entry Level Professional Level Managerial Level

27. Your Competency Scorecard

28. Enterprise Infosec Competency Profile Enterprise Capability EBK Training Provider

29. http://www.TISA.or.th

30. 0-30

31. Thank You