SecurityExchange2009-Key Note

Aligning IT Security Solutions with Business Justification
Chaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions

Aligning IT Security Solutions with Business Justification
Risk-base security investment (ROSI: Return on Security Investment)
Global Perspective
Beside security solutions, investing in human resource is essential KEY to success
Your user: need awareness
Your IT staff: need education
Your management: need understanding

Risk-base Security Investment
The Challenges
Organization using IT has associated RISK
Vendors want to sell new stuff
Organization doesn’t want to be outdated
Security solution is expensive
Limited budget
Technology moves fast forward
Security prof. is too techy(no business language)
Where enough is enough?
Requirement base vs. Technology base

Sun Tzu – The Art of War
“If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BC
Understand your business - Yourself
Understand the surrounding THREATs – Your ENEMY
Understand the PROTECTION requirement, limitation and readiness – Your STRATEGY

Risk-base = Requirement-base
Risk Assessment
Quantify – money figure
Risk-base Security Investment

Recent Standards/Guidelines
By A. Chaiyakorn Apiwathanokul

Identifying assets
Tangibles
Computers, communications equipment, wiring
Data
Software
Audit records, books, documents
Intangibles
Privacy
Employee safety & health
Passwords
Image & reputation
Availability
Employee morale

1
Identify Asset Value
Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to owners and users
Value of the asset to adversaries
Value of intellectual property that went into developing the information
Price others are willing to pay for the asset
Cost to replace the asset if lost
Operational and production activities that are affected if the asset is unavailable
Liability issues if the asset is compromised
Usefulness and role of the asset in the organization

Identifying threats
Earthquake, flood, hurricane, lightening
Structural failure, asbestos
Utility loss, i.e., water, power, telecommunications
Theft of hardware, software, data
Terrorists, both political and information
Software bugs, virii, malicious code, SPAM, mail bombs
Strikes, labor & union problems
Hackers, internal/external
Inflammatory usenet, Internet & web postings
Employee illness, death
Outbreak, epidemic, pandemic

1
Calculating (quantifying) Risks
Single Loss Expectancy (SLE)
SLE = Asset Value x EF
Annual Lose Expectancy
ALE = SLE x ARO
Single Lose Expectancy (SLE)
Amount of lose occur once the threat is realized
Exposure Factor (EF)
A measure of the magnitude of loss or impact on the value of an asset
Annualized rate of occurrence (ARO)
On an annualized basis, the frequency with which a threat is expected to occur
Annualized loss expectancy (ALE)
Single loss expectance x annualized rate of occurrence = ALE

Cost/benefit Analysis forCountermeasure Valuation
Cost of a loss
Often hard to determine accurately
Cost of prevention
Long term/short term
Refer as Safeguard Cost
(ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the company
This value is always referred to when determining Security ROI or ROSI

Global Perspective

From Global Workforce Study by (ISC)2

Information Technology (IT) Security
Essential Body of Knowledge (EBK)
A Competency and Functional Framework
for IT Security Workforce Development
September 2008
United States Department of Homeland Security

DoD 8570.01-MInformation Assurance Workforce Improvement ProgramDecember 19, 2005

DoD 8570.01-MInformation Assurance Workforce Improvement ProgramMay 15, 2008

Why was the EBK established?
Rapid evolution of technology
Various aspects and expertise are increasingly required
Standard or common guideline in recruiting, training and retaining of workforce
Knowledge and skill baseline
Linkage between competencies and job functions
For public and private sectors

Key Divisions
4 functional perspectives
14 competency areas
10 roles

Functional Perspectives
Manage
Design
Implement
Evaluate

IT Security Roles
Chief Information Officer
Digital Forensics Professional
Information Security Officer
IT Security Compliance Officer
IT Security Engineer
IT Security Professional
IT Systems Operations and Maintenance Professional
Physical Security Professional
Privacy Professional
Procurement Professional

Competency Areas (MDIE in each)
Data Security
Digital Forensics
Enterprise Continuity
Incident Management
IT Security Training and Awareness
IT System Operations and Maintenance
Network and Telecommunication Security
Personnel Security
Physical and Environmental Security
Procurement
Regulatory and Standards Compliance
Security Risk Management
Strategic Security Management
System and Application Security

TISA EBK Analysis
Entry Level
Professional Level
Managerial Level

Your Competency Scorecard

Enterprise Infosec Competency Profile
Enterprise
Capability
EBK
Training
Provider

http://www.TISA.or.th

0-30

Thank You