1 / 8

Information Assurance Policy Costs

Information Assurance Policy Costs. by James Rosen. Graphical Overview. Some Figures. Deloitte & Touche, 2003: Financial services companies are spending approximately 6% of their IT budgets on information security

tal
Download Presentation

Information Assurance Policy Costs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance Policy Costs • by James Rosen

  2. Graphical Overview

  3. Some Figures • Deloitte & Touche, 2003: Financial services companies are spending approximately 6% of their IT budgets on information security • IDC: The market for web intrusion protection services and products is expected to increase to nearly US $700,000,000 by 2006. What was the real figure? • ACM: Malicious code caused $13b in costs in 2001 • Schneier: A Moscow company charges $10k for risk analysis for small companies; Verisign's subsidiary iDefense offers bounties for finding holes • IDG News: Corp's should spend 4-6% on InfoSec

  4. Categories • Writing the Policy • Maintaining the Policy • Enforcing the Policy • Hidden Costs (Externalities)

  5. Writing the Policy • cataloging resources (incl data types) • researching potential threats • evaluating risk to different resources • Getting input from each stakeholder • drafting the paper

  6. Maintaining the Policy • Research • Analyzing new aspects of the business • New technologies • New threats • continuing education for Security Team • OCTAVE training: several $k, plus several days paid non-work time for a small team • NSA's IAM training (similar)

  7. Enforcing the Policy • Initial training & communications • Vulnerability evaluation • Patching • Equipment • Firewalls • Multi-factor authentication • Surveillance • event response • Re-training employees • Firing or disciplining employees • On-call IT/Security response team

  8. Hidden Costs • short-term costs resulting from being bound by the IAP • e.g. limitations in practices, technology choices, etc. • Ideally, offset in the long-term

More Related