Adequate Security

How much security is enough?

by IW. Sriyasa

INTRODUCTION

Security Strategy Questions

What is the value?

Product
Services

Process

Security Strategy Questions

What assets?
information
technology

people

Security Strategy Questions

What potential adverse
condition & consequences?

The cost?
Disruptions?

Security Strategy Questions

How to manage residual
risks?
Residual risk is risk remaining
after mitigation taken

Organizational Character
Market Sector Character

Characteristics to Consider
Organization Characteristics
Size (employees, customers,
physical locations)
Complexity (organizational units,
products, services, processes,
systems)
Value & criticality of intellectual
prop. Information stored or
transmitted digitally.
Dependences on IT Systems,
impact of systems downtime.

Characteristics to Consider
Market Sector Characteristics
Potential impact to critical
infrastructure
Customer sensitivity to and
expectation for security & privacy
Potential brand and reputation
damage.
Cust. ability & likelihood to
switch to a competitor

Defining Adequate Security

The condition where the protection and sustainability

strategies for an organization's critical assets and
business processes are commensurate with the
organization's tolerance for risk.

Defining Adequate Security

The condition where the protection and sustainability
strategies for an organization's critical assets and
business processes are commensurate with the
organization's tolerance for risk.
Principles

Policies
Protection &
sustainability

Procedures &
Processes

KPI & measures

Defining Adequate Security

The condition where the protection and sustainability
strategies for an organization's critical assets and
business processes are commensurate with the
organization's tolerance for risk.
Information
(enterprise strategy &
plans, customer data)

Infrastructure
(supporting fasilities &
utilities)

Critical
assets
People (key
personsel with unique
knowledge & skills)

Brand, image &

reputation

Defining Adequate Security

The condition where the protection and sustainability
strategies for an organization's critical assets and
business processes are commensurate with the
organization's tolerance for risk.
Products & services

Financial management
& reporting

Business
Processes that
create:

Relationships to 3rd
party

CRM

Determining Adequate Security

Critical assets and business processes that
support achieving our organizational goals?
Under what conditions and with what
likelihood are assets and processes at risk?
What mitigating actions do we need to take
and with what priority?

what protection strategies do we need to put

in place? Cost/benefit analysis
How well are we managing our security state
today?

Conclusion
The level of adequate security is changing
related to risk tolerance will be taken.
Achieving adequate security is continuous
process

What mitigating actions do we need to take

and with what priority?
Planning process for monitor, review & update an
organization's security state must be part of day to day business
conduct

Thank you