Before you invest in security products or services, why
not check if you should be spending your money at all.
Spending your Security budget wisely?
There are a large number of security implementations
where great care has been taken to secure the "Office System",
its servers, access to and from the Internet and to protect
against viruses on PCs, without initially taking a step back
from just looking at the components of an IT system and asking
the questions, "What are we actually trying to protect?"
and "What is the impact in monetary terms if that protection
is breached?".
This area is often forgotten or only given scant regard in many
security systems implemented, even those where a security methodology
has been followed. Properly employed it not only ensures security
controls can be targeted in the right direction but can form
the basis to show the company's financial controllers, in terms
they can understand, that the security budget is being targeted
where it will have most value.
The first step is to produce a list of the assets you wish to
protect. These are not just the hardware and software; very
often the really valuable assets are the information, the people,
the services being provided and the company image. It is not
always necessary for this purpose to provide a detailed list
of all IT assets, as they can be grouped together if they are
all being used to support one type of business process or hold
one type of information.
Having agreed what is to be protected, the next step is to assess
how valuable those assets are. This is achieved by assessing
the potential impact of a security breach of those assets. Each
asset, or group of assets, should be assessed and a value given
for each of the following three types of loss:
1. A loss in availability of the asset (Availability)
2. Access to the asset by unauthorised people or systems (Confidentiality)
3. Corruption of the asset (Integrity)
A valuation system will be required for this purpose and although
this can be as simple as high, medium and low, if the results
are being used for a business case or to make decisions about
whether it is economically sound to implement technology controls,
then a monetary loss scale should be used.
Once you have these results, then you have a good handle on
how much a loss of confidentiality, integrity or availability
would cost your company. This is a very powerful tool when putting
forward a business case.
What is interesting with this approach, is there are often surprising
outcomes. For example the information on your Web site may not
have a high financial value and could be replaced if corrupted
so why spend lot of money on protection? However, if you were
a security company the possible publicity following a breach
would damage to your name and reputation and could have a very
large financial impact.
Similarly companies have also found they have protected the
"Office System" only to find their most valuable assets
are their research material which is being held on individual
PCs, or that configuration data for production lines are held
in paper notes or somebody's head.
This asset and impact valuation is only one part of a full security
management system. The threats and vulnerabilities to the assets
need to be assessed, the security controls decided and the conclusions
implemented. It is however a very valuable step that should
not be overlooked.
Positive Computer Solution's consultants have a great deal of
experience in all areas of producing a proper Security management
System designed to meet the requirements of your business. The
company also has a full set of integrated and specialist security
products in our portfolio that can then be used to implement
the controls required.
For more information and a free initial consultation then please
contact us, by filling in our form
or calling us today.
Security
Services