SecurityExchange2009-Key Note
Upcoming SlideShare
Loading in...5

SecurityExchange2009-Key Note



Risk-base Security Investment, ROSI

Risk-base Security Investment, ROSI



Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • ISO has published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors.The Publicly Available Specification ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management, is based on best practice from five national standards from Australia, Israel, Japan, the United Kingdom and the United States.Natural disasters, acts of terror, technology-related accidents and environmental incidents have clearly demonstrated that neither public nor private sectors are immune from crises, either intentionally or unintentionally provoked. This has lead to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and potentially devastating incidents. ISO/PAS 22399 is the first deliverable from ISO technical committee ISO/TC 223, Societal security, which is charged with developing standards in the area of crisis and continuity management.

SecurityExchange2009-Key Note SecurityExchange2009-Key Note Presentation Transcript

  • Aligning IT Security Solutions with Business Justification
    Chaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions
  • Aligning IT Security Solutions with Business Justification
    Risk-base security investment (ROSI: Return on Security Investment)
    Global Perspective
    Beside security solutions, investing in human resource is essential KEY to success
    Your user: need awareness
    Your IT staff: need education
    Your management: need understanding
  • Risk-base Security Investment
    The Challenges
    Organization using IT has associated RISK
    Vendors want to sell new stuff
    Organization doesn’t want to be outdated
    Security solution is expensive
    Limited budget
    Technology moves fast forward
    Security prof. is too techy(no business language)
    Where enough is enough?
    Requirement base vs. Technology base
  • Sun Tzu – The Art of War
    “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BC
    Understand your business - Yourself
    Understand the surrounding THREATs – Your ENEMY
    Understand the PROTECTION requirement, limitation and readiness – Your STRATEGY
  • Risk-base = Requirement-base
    Risk Assessment
    Quantify – money figure
    Risk-base Security Investment
  • Recent Standards/Guidelines
    By A. Chaiyakorn Apiwathanokul
  • Identifying assets
    Computers, communications equipment, wiring
    Audit records, books, documents
    Employee safety & health
    Image & reputation
    Employee morale
  • 1
    Identify Asset Value
    Cost to acquire or develop the asset
    Cost to maintain and protect the asset
    Value of the asset to owners and users
    Value of the asset to adversaries
    Value of intellectual property that went into developing the information
    Price others are willing to pay for the asset
    Cost to replace the asset if lost
    Operational and production activities that are affected if the asset is unavailable
    Liability issues if the asset is compromised
    Usefulness and role of the asset in the organization
  • Identifying threats
    Earthquake, flood, hurricane, lightening
    Structural failure, asbestos
    Utility loss, i.e., water, power, telecommunications
    Theft of hardware, software, data
    Terrorists, both political and information
    Software bugs, virii, malicious code, SPAM, mail bombs
    Strikes, labor & union problems
    Hackers, internal/external
    Inflammatory usenet, Internet & web postings
    Employee illness, death
    Outbreak, epidemic, pandemic
  • 1
    Calculating (quantifying) Risks
    Single Loss Expectancy (SLE)
    SLE = Asset Value x EF
    Annual Lose Expectancy
    ALE = SLE x ARO
    Single Lose Expectancy (SLE)
    Amount of lose occur once the threat is realized
    Exposure Factor (EF)
    A measure of the magnitude of loss or impact on the value of an asset
    Annualized rate of occurrence (ARO)
    On an annualized basis, the frequency with which a threat is expected to occur
    Annualized loss expectancy (ALE)
    Single loss expectance x annualized rate of occurrence = ALE
  • Cost/benefit Analysis forCountermeasure Valuation
    Cost of a loss
    Often hard to determine accurately
    Cost of prevention
    Long term/short term
    Refer as Safeguard Cost
    (ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the company
    This value is always referred to when determining Security ROI or ROSI
  • Global Perspective
  • From Global Workforce Study by (ISC)2
  • Information Technology (IT) Security
    Essential Body of Knowledge (EBK)
    A Competency and Functional Framework
    for IT Security Workforce Development
    September 2008
    United States Department of Homeland Security
  • DoD 8570.01-MInformation Assurance Workforce Improvement ProgramDecember 19, 2005
  • DoD 8570.01-MInformation Assurance Workforce Improvement ProgramMay 15, 2008
  • Why was the EBK established?
    Rapid evolution of technology
    Various aspects and expertise are increasingly required
    Standard or common guideline in recruiting, training and retaining of workforce
    Knowledge and skill baseline
    Linkage between competencies and job functions
    For public and private sectors
  • Key Divisions
    4 functional perspectives
    14 competency areas
    10 roles
  • Functional Perspectives
  • IT Security Roles
    Chief Information Officer
    Digital Forensics Professional
    Information Security Officer
    IT Security Compliance Officer
    IT Security Engineer
    IT Security Professional
    IT Systems Operations and Maintenance Professional
    Physical Security Professional
    Privacy Professional
    Procurement Professional
  • Competency Areas (MDIE in each)
    Data Security
    Digital Forensics
    Enterprise Continuity
    Incident Management
    IT Security Training and Awareness
    IT System Operations and Maintenance
    Network and Telecommunication Security
    Personnel Security
    Physical and Environmental Security
    Regulatory and Standards Compliance
    Security Risk Management
    Strategic Security Management
    System and Application Security
  • TISA EBK Analysis
    Entry Level
    Professional Level
    Managerial Level
  • Your Competency Scorecard
  • Enterprise Infosec Competency Profile
  • 0-30
  • Thank You