SecurityExchange2009-Key Note


Published on

Risk-base Security Investment, ROSI

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ISO has published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors.The Publicly Available Specification ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management, is based on best practice from five national standards from Australia, Israel, Japan, the United Kingdom and the United States.Natural disasters, acts of terror, technology-related accidents and environmental incidents have clearly demonstrated that neither public nor private sectors are immune from crises, either intentionally or unintentionally provoked. This has lead to a global awareness that organizations in the public and private sectors must know how to prepare for and respond to unexpected and potentially devastating incidents. ISO/PAS 22399 is the first deliverable from ISO technical committee ISO/TC 223, Societal security, which is charged with developing standards in the area of crisis and continuity management.
  • SecurityExchange2009-Key Note

    1. 1. Aligning IT Security Solutions with Business Justification<br />Chaiyakorn ApiwathanokulCISSP,GCFA,IRCA:ISMSChief Security Officer, PTT ICT Solutions<br />
    2. 2. Aligning IT Security Solutions with Business Justification<br />Risk-base security investment (ROSI: Return on Security Investment)<br />Global Perspective<br />Beside security solutions, investing in human resource is essential KEY to success<br />Your user: need awareness<br />Your IT staff: need education<br />Your management: need understanding<br />
    3. 3. Risk-base Security Investment<br />The Challenges<br />Organization using IT has associated RISK<br />Vendors want to sell new stuff <br />Organization doesn’t want to be outdated<br />Security solution is expensive<br />Limited budget<br />Technology moves fast forward<br />Security prof. is too techy(no business language)<br />Where enough is enough?<br />Requirement base vs. Technology base<br />
    4. 4. Sun Tzu – The Art of War<br />“If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”, Sun Tzu – The Art of War 6th century BC<br />Understand your business - Yourself<br />Understand the surrounding THREATs – Your ENEMY<br />Understand the PROTECTION requirement, limitation and readiness – Your STRATEGY<br />
    5. 5. Risk-base = Requirement-base<br />Risk Assessment<br />Quantify – money figure<br />Risk-base Security Investment<br />
    6. 6. Recent Standards/Guidelines<br />By A. Chaiyakorn Apiwathanokul<br />
    7. 7. Identifying assets<br />Tangibles<br />Computers, communications equipment, wiring<br />Data<br />Software<br />Audit records, books, documents<br />Intangibles<br />Privacy<br />Employee safety & health<br />Passwords<br />Image & reputation<br />Availability<br />Employee morale<br />
    8. 8. 1<br />Identify Asset Value<br />Cost to acquire or develop the asset <br />Cost to maintain and protect the asset <br />Value of the asset to owners and users <br />Value of the asset to adversaries <br />Value of intellectual property that went into developing the information <br />Price others are willing to pay for the asset <br />Cost to replace the asset if lost <br />Operational and production activities that are affected if the asset is unavailable <br />Liability issues if the asset is compromised <br />Usefulness and role of the asset in the organization<br />
    9. 9. Identifying threats<br />Earthquake, flood, hurricane, lightening<br />Structural failure, asbestos<br />Utility loss, i.e., water, power, telecommunications<br />Theft of hardware, software, data<br />Terrorists, both political and information<br />Software bugs, virii, malicious code, SPAM, mail bombs<br />Strikes, labor & union problems<br />Hackers, internal/external<br />Inflammatory usenet, Internet & web postings<br />Employee illness, death <br />Outbreak, epidemic, pandemic<br />
    10. 10. 1<br />Calculating (quantifying) Risks<br />Single Loss Expectancy (SLE)<br /> SLE = Asset Value x EF<br />Annual Lose Expectancy<br /> ALE = SLE x ARO<br />Single Lose Expectancy (SLE)<br />Amount of lose occur once the threat is realized<br />Exposure Factor (EF)<br />A measure of the magnitude of loss or impact on the value of an asset<br />Annualized rate of occurrence (ARO)<br />On an annualized basis, the frequency with which a threat is expected to occur<br />Annualized loss expectancy (ALE)<br />Single loss expectance x annualized rate of occurrence = ALE<br />
    11. 11. Cost/benefit Analysis forCountermeasure Valuation<br />Cost of a loss<br />Often hard to determine accurately<br />Cost of prevention<br />Long term/short term<br />Refer as Safeguard Cost<br />(ALEno.SG) – (ALEwith.SG) – (Cost of SG) = Value of SG to the company<br />This value is always referred to when determining Security ROI or ROSI<br />
    12. 12. Global Perspective<br />
    13. 13. From Global Workforce Study by (ISC)2<br />
    14. 14.
    15. 15.
    16. 16.
    17. 17. Information Technology (IT) Security<br />Essential Body of Knowledge (EBK)<br />A Competency and Functional Framework<br />for IT Security Workforce Development<br />September 2008<br />United States Department of Homeland Security<br />
    18. 18. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramDecember 19, 2005<br />
    19. 19. DoD 8570.01-MInformation Assurance Workforce Improvement ProgramMay 15, 2008<br />
    20. 20. Why was the EBK established?<br />Rapid evolution of technology<br />Various aspects and expertise are increasingly required<br />Standard or common guideline in recruiting, training and retaining of workforce<br />Knowledge and skill baseline<br />Linkage between competencies and job functions<br />For public and private sectors<br />
    21. 21. Key Divisions<br />4 functional perspectives<br />14 competency areas<br />10 roles<br />
    22. 22. Functional Perspectives<br />Manage<br />Design<br />Implement<br />Evaluate<br />
    23. 23. IT Security Roles<br />Chief Information Officer<br />Digital Forensics Professional<br />Information Security Officer<br />IT Security Compliance Officer<br />IT Security Engineer<br />IT Security Professional<br />IT Systems Operations and Maintenance Professional<br />Physical Security Professional<br />Privacy Professional<br />Procurement Professional<br />
    24. 24. Competency Areas (MDIE in each)<br />Data Security<br />Digital Forensics<br />Enterprise Continuity<br />Incident Management<br />IT Security Training and Awareness<br />IT System Operations and Maintenance<br />Network and Telecommunication Security<br />Personnel Security<br />Physical and Environmental Security<br />Procurement<br />Regulatory and Standards Compliance<br />Security Risk Management<br />Strategic Security Management<br />System and Application Security<br />
    25. 25.
    26. 26. TISA EBK Analysis<br />Entry Level<br />Professional Level<br />Managerial Level<br />
    27. 27. Your Competency Scorecard<br />
    28. 28. Enterprise Infosec Competency Profile<br />Enterprise<br />Capability<br />EBK<br />Training<br />Provider<br />
    29. 29.<br />
    30. 30. 0-30<br />
    31. 31. Thank You<br />