Unformatted text preview: bitrarily build a separate roadmap for each risk category since
that can leads to inefficiency in management of the assurance program itself. SAMM / The Security Practices - v1.0 ✦✦Architects (2 days/yr)
✦✦Managers (2 days/yr)
✦✦Business Owners (2 days/yr)
✦✦Security Auditor (2 days/yr) 36 Related Levels
✦✦Policy & Compliance - 2
✦✦Threat Assessment - 2
✦✦Design Review - 2 Strategy & Metrics SM 3 Align security expenditure with relevant business indicators and asset value Activities
A. Conduct periodic industry-wide cost comparisons
Research and gather information about security costs from intra-industry communication
forums, business analyst and consulting firms, or other external sources. In particular, there
are a few key factors that need to be identified.
First, use collected information to identify the average amount of security effort being applied by similar types of organizations in your industry. This can be done either top-down
from estimates of total percentage of budget, revenue, etc. or it can be done bottom-up by
identifying security-related activities that are considered normal for your type of organization. Overall, this can be hard to gauge for certain industries, so collect information from as
many relevant sources as are accessible.
The next goal of researching security costs is to determine if there are potential cost savings
on third-party security products and services that your organization currently uses. When
weighing the decision of switching vendors, account for hidden costs such as retraining staff
or other program overhead.
Overall, these cost-comparison exercises should be conducted at least annually prior to
the subsequent assurance program strategy session. Comparison information should be
presented to stakeholders in order to better align the assurance program with the business. Results
✦✦Information to make informed case-bycase decisions on security expenditures
✦✦Estimates of past loss due
to security issues
✦✦Per-project consideration of security
expense versus loss potential
✦✦Industry-wide due diligence
with regard to security Add’l Success Metrics
✦✦>80% of projects reporting
security costs in past 3 months
✦✦>1 industry-wide cost
comparison in past 1 year
✦✦>1 historic security spend
evaluation in past 1 year Add’l Costs
Collect project-specific information on the cost of past security incidents. For instance, time
and money spent in cleaning up a breach, monetary loss from system outages, fines and fees
to regulatory agencies, project-specific one-off security expenditures for tools or services,
Using the application risk categories and the respective prescribed assurance program roadmaps for each, a baseline security cost for each application can be initially estimated from the
costs associated with the corresponding risk category.
Combine the application-specific cost information with the general cost model based on risk
category, and then evaluate projects for outliers, i.e. sums disproportionate to the risk rating.
These indicate either an er...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14