Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

Planning Security Budgets for 2016

Posted on 10/12/2015 by Patrick Botz

It’s that time of year again. Budgeting for next year means that you need to figure out how much you’re going to spend on security projects and products.  Of course, in order to determine how much money you need to spend, you first have to figure out which security projects and products you need. So how do you do that?

A good way to determine how much you need to spend on security is to think about security management as a business process. As with any business process, it includes the following phases:

  1. Planning
  2. Implementation
  3. Execution
  4. Measurement and feedback

Everything you do, or need to do, with respect to managing security fits into one of these phases. Consider each phase and whether you need spend time and money to make changes or to purchase products to address needs and requirements.

Planning = Policies

Security policies define the abstract behaviors and controls you will use to protect your organization’s assets.

I use the word abstract to emphasize that security policies don’t describe how you will configure your system’s various security knobs and dials. Rather, they describe which assets need to be protected, how those assets may be used by which employee roles, and for which business purposes. Policies also describe behaviors that are required or prohibited.

An example of policies that define a required behavior is “Employees will change their password every 90 days.”

“Employees are not allowed to use computers supplied by ABC Company for personal use” is an example of a prohibited behavior.

In effect, security policies are the definition of “secure” for your organization and its business assets. If the behaviors and controls defined in those policies are effectively enforced and circumvention or attempted circumvention of them can be detected, then your business assets are properly secured.

Standards and regulations such as HIPAA, PCI, SOX, and a myriad of other industry-specific acronyms describe security policies that must be included in your organization’s policies. For the most part, they do not specify how those policies should be enforced – only that they must be appropriately enforced.

Do you need to allocate budget dollars to this phase of the security business process?  Ask yourself the following questions about the year ahead:

  • Do you have explicit, formal, and documented security policies?
  • Will you need to demonstrate compliance with an industry standard or government regulation?
  • Have any industry standards or government regulations with which you must be compliant changed?
  • Are there additional policies to be defined?
  • Given your experience this year with implementation, execution, and measurement, do any existing policies need to be changed or refined?

An affirmative answer to any of these questions means you should strongly consider allocating dollars to this phase of the security management process for next year.

If you haven’t already explicitly defined and documented security policies, this is one of the most important places you can spend money to improve your organization’s risk posture.  If you are starting from scratch, or nearly scratch, it may be more cost effective to get outside help with this task.  You not only have to generate policies, but you also need to implement the security management business process!

Implementation = Enforcement of Policies

Implementation is the set of business processes and technical controls you put in place in order to implement the controls and behaviors defined in your security policies. This includes the entire security configuration of your systems as well as the external processes, such as approval for new userIDs.

Enforcing your security policies requires time, effort and expertise.  In other words, it costs money.

Security is a function of risk and cost. You can improve your security by 1) reducing your risk or by 2) reducing how much it costs your company to manage the level of risk you deem acceptable.

To decide if you need to spend money on enforcement, you need to look at both aspects of security: do you need to reduce risk and do you need to reduce the cost of managing that risk?

Security products can be applied to both aspects. For example, you now have to meet PCI requirements. Encrypting credit card related data is a requirement of PCI. You can do this by changing all of your programs that access credit card data. But this is very expensive, and implementing encryption correctly is technically complicated. Compare the cost of buying a product that helps with encryption (and its most complicated component, key management) to the DIY option.

Security services can also reduce risk and cost.  Security experts can help you use your existing mechanisms and products to more accurately enforce your policies and thereby reduce your risk. They can also reduce cost by executing processes and procedures that you don’t have time to do.

Execution = Monitor and Detect

In addition to making sure that your defined processes and procedures (e.g. management approval required prior to creating a userID) are being followed, you also need to make sure your system enforcement configuration is not drifting away from what you just implemented.

After you have your system configured to enforce your security policies, you need to remain vigilant. You need to identify, understand, and address potential threats that can occur at any time and may occur on a daily basis! This includes intrusion attempts, attempts to circumvent your security policy, and changes to the security configuration.

Not doing this is like a prison where the guards don’t do rounds or headcounts to make sure all the prisoners are still there.

Preventing successful attacks requires early detection of attempts to compromise your corporate assets. Due to the nature of electronic assets, if you aren’t detecting attacks, you likely won’t even know that you have been successfully attacked. Attacks are just as likely to come internally as they are externally.

There are a huge number of things you need to monitor. One of the most important is the system audit journal. The audit journal is capable of tracking everything that occurs on your system – security related or not. The most important events to monitor, from a security point of view, may be AF (Authority Failures) entries.  If your system is properly configured, an AF entry indicates that someone is trying to access something they aren’t supposed to.  The trick is to determine if that attempt was an accident or was part of a probing attempt.  If you don’t know about these until days, weeks, or months later, whatever damage that was going to be done has already been done.

The vast majority of attackers do not want to be caught.  They attempt to cover their tracks. One of the things they try to get away with is to open holes on your system; often by changing your security configuration. If you aren’t checking whether your current configuration matches your expected (hopefully documented) configuration on a periodic basis (yes, even daily is not too often), then you have little chance of catching an attack before it wreaks havoc.

There are a host (pun intended) of other things to monitor.  Disabled and/or unused user profiles that have been around for more than say, 90 days, without having been used.  New user profiles that you didn’t create.  Programs having modified dates that don’t match known updates or upgrades, etc.

To determine if you need to spend money on execution, ask yourself  questions like the following:

  • Do you know how your all of your security-related elements should be configured on your system?
  • Would you know if the configuration had changed and whether it was planned or unexplained?
  • Are you currently doing anything to check for possible intrusion attempts on an ongoing basis? If so, how comfortable are you with the adequacy of these efforts?
  • How much do your current efforts cost? Do you need to reduce the cost of detection?
  • Do you know what to do if you suspect a possible attack?

If you answer “no” to any of these questions (or “yes” to needing to reduce cost), then you probably need to allocate budget dollars to the execution phase of security management.

Consider products, services and/or developing your tools to automate as much of this monitoring as possible.  If you aren’t yet doing anything for execution, start with a project to define what you need and intend to do.

Measurement = Internal and External Audits

In the Measurement phase of the security management process, you compare your security policies to your enforcement mechanisms to determine if those mechanisms accurately enforce the behaviors and implement the controls defined in your security policy.

So your policy tells you the behaviors you need to enforce. If your policy is out of whack, then your security is, by definition, out of whack.  But let’s say your policy is “in whack.” If your enforcement doesn’t adequately enforce your policies, then your security is still out of whack.

In order to ensure you are properly managing security, you must periodically measure how accurately your enforcement reflects the behaviors defined in your policy. There are two aspects of this.

  1. External security audits should first review your security policies to make sure they are consistent with your requirements and legal responsibilities. This step is, unfortunately, often skipped by auditors.
  2. The second aspect is to ensure, by testing and inspecting, whether your current processes, procedures and security configuration accurately reflect your security policies.

External security audits are required for some organizations and industries. It is useful to have someone not so closely associated with the configuration take an unbiased look at your policies and your implementation. Many larger organizations have internal audit organizations that may also conduct security audits.

If you have an upcoming security audit, you’ll need to allocate part of your money to prepare for, conduct and respond to the audit findings.  If you don’t, consider allocating budget dollars to do your own small scale audit. You don’t have to look at policy and every configuration item. Take a few days to investigate a small sample of them.

Consider products or services that will help you define your intended configuration and automate the process of comparing the current configuration to it. Some service providers will act as your liaison with your audit team, help respond to auditor requests for information and help formulate replies to deficiencies identified by your audit team.

Summary

If you’re having trouble understanding whether you are allocating the right amount of budget dollars to the right security-related projects, looking at security as business process can be immensely helpful.

Planning, implementing, executing and measuring provide you a roadmap to organize your analysis. In general, the earlier in the process (i.e. planning is earlier than implementing, etc.), the greater the priority for allocating dollars to that phase.

What you learn by executing each phase may inform decisions to make changes to earlier phases. For example, if there is a security policy (e.g. FTP is not allowed for files coming into our network) that is too costly to implement (perhaps it impacts productivity), your organization may decide to change the policy to provide a little more leeway (e.g. FTP for files coming into our network is only allowed with management approval on a case-by-case basis.) Another example is a policy that allows up to 10 incorrect password attempts before disabling a profile. Your setting is 15. The audit team notes the discrepancy between the configuration and the policy. They also note that the policy does not meet best practices and should be changed to five or fewer attempts.

Taking a business process approach to analyzing the allocation of your security budget ensures that you are spending those dollars on the most important security projects, AND it helps you deliver the most efficient and effective security for your company’s digital assets.

To learn more about this process, join me and my colleague Patrick Townsend for a live webinar on strategic IBM i security budgeting on Wednesday, November 18, 2015.

 

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in Info Security Mgmt, Information Security, Security Breach and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>