Compliance|Information Security|Research

Budgeting For Security

Security budgeting is a layered approach

Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts?

Cover the Basics first

Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider:

  1. Review your security policy
  2. Ensure security patches are up to date, for all hardware/software
  3. Make sure all of your devices are running AV software and are up to date
  4. Review your password policy for weak passwords
  5. Encrypt all portable devices
  6. Provide security training for end users, and IT staff
  7. Regularly review your Firewall/IDS rules
  8. Follow best practices for remote access/VPN solutions
  9. A monitoring/logging solution should be in place

Budget Considerations

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:

  1. Formalized development of security policies and procedures
  2. Security monitoring or outsourced assistance
  3. Vulnerability and penetration testing
  4. Third party inspection
  5. Multifactor Authentication
  6. Mobile Device Security/Management
  7. Internet controls/restrictions
  8. Secure Large File transfer methods
  9. NAC
  10. Wireless security
  11. Data Loss Prevention
  12. Incident response/tracking
  13. Backups/DR/Business Continuity

Studies have shown that a good overall security posture will reduce the overall cost of a security breach.


Ebola: Is Your Organization Prepared?

All organizations should have a business continuity plan.  I know that many do not.  How will your business respond if:

  • Your building burns down
  • A flood destroys facilities
  • A tornado takes out a primary distributor and disrupts a supply chain
  • A pandemic infection affects any key component of your business

A pandemic plan addresses this specific scenario within a business continuity plan.  Do we have remote access capabilities that allow everyone to perform their job?  What happens if the whole IT department is sick?  If accounting is sick, who will send invoices and pay bills?  If our distributor’s source in a foreign country is shut down, where will our supplies come from (this is an indirect affect)?  If sea ports are closed, and the US taps oil reserves, and gas prices quadruple, how will that impact business?  These are things your organization should be considering already, but if not, now is a good time.

UPDATE 10/3/2014: Ebola has now spread officiall to the United States.  A patient in Dallas, according to news sources, has had contact with many people while being infected with Ebola.

Today, based on publicly available news sources, the Ebola virus has spread from west Africa north to Morocco, possibly east to Nigeria and even further to Saudi Arabia.  Additionally, the US has admitted the two Americans infected with the virus.  This could easily fizzle out in a few days and have zero impact on US day to day operations.  But what if it doesn’t, will your business survive interruptions to daily services?

The impact of a potential pandemic infection would be severe.  What if the US declares some sort of martial law and quarantines people to their homes?  This will disrupt shipping and supply chains, and will require all employees to work from home.  Does your organization have the remote access infrastructure in place for this?

Organizations should not panic over this news, but rather use it to push for completing or developing their business continuity plans in preparation for any disaster.  Make sure you have the policies and procedures in place to continue business even if critical pieces of your infrastructure are impacted.  Here is a checklist made available by the CDC for flu pandemic preparedness.  Obviously Ebola is not the same as the flu, but the checklist can work for both.