In particular there are a few key factors that need

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: bitrarily build a separate roadmap for each risk category since that can leads to inefficiency in management of the assurance program itself. SAMM / The Security Practices - v1.0 ✦✦Architects (2 days/yr) ✦✦Managers (2 days/yr) ✦✦Business Owners (2 days/yr) ✦✦Security Auditor (2 days/yr) 36 Related Levels ✦✦Policy & Compliance - 2 ✦✦Threat Assessment - 2 ✦✦Design Review - 2 Strategy & Metrics SM 3 Align security expenditure with relevant business indicators and asset value Activities A. Conduct periodic industry-wide cost comparisons Research and gather information about security costs from intra-industry communication forums, business analyst and consulting firms, or other external sources. In particular, there are a few key factors that need to be identified. First, use collected information to identify the average amount of security effort being applied by similar types of organizations in your industry. This can be done either top-down from estimates of total percentage of budget, revenue, etc. or it can be done bottom-up by identifying security-related activities that are considered normal for your type of organization. Overall, this can be hard to gauge for certain industries, so collect information from as many relevant sources as are accessible. The next goal of researching security costs is to determine if there are potential cost savings on third-party security products and services that your organization currently uses. When weighing the decision of switching vendors, account for hidden costs such as retraining staff or other program overhead. Overall, these cost-comparison exercises should be conducted at least annually prior to the subsequent assurance program strategy session. Comparison information should be presented to stakeholders in order to better align the assurance program with the business. Results ✦✦Information to make informed case-bycase decisions on security expenditures ✦✦Estimates of past loss due to security issues ✦✦Per-project consideration of security expense versus loss potential ✦✦Industry-wide due diligence with regard to security Add’l Success Metrics ✦✦>80% of projects reporting security costs in past 3 months ✦✦>1 industry-wide cost comparison in past 1 year ✦✦>1 historic security spend evaluation in past 1 year Add’l Costs Collect project-specific information on the cost of past security incidents. For instance, time and money spent in cleaning up a breach, monetary loss from system outages, fines and fees to regulatory agencies, project-specific one-off security expenditures for tools or services, etc. Using the application risk categories and the respective prescribed assurance program roadmaps for each, a baseline security cost for each application can be initially estimated from the costs associated with the corresponding risk category. Combine the application-specific cost information with the general cost model based on risk category, and then evaluate projects for outliers, i.e. sums disproportionate to the risk rating. These indicate either an er...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online