8/10/2019 Adequate Security

1/18

Adequate SecurityHow much security is enough?by IW. Sriyasa

8/10/2019 Adequate Security

2/18

8/10/2019 Adequate Security

3/18

INTRODUCTION

8/10/2019 Adequate Security

4/18

Security Strategy Questions

What is the value?

Product

Services

Process

8/10/2019 Adequate Security

5/18

Security Strategy Questions

What assets?

information

technology

people

8/10/2019 Adequate Security

6/18

Security Strategy Questions

What potential adversecondition & consequences?

The cost?

Disruptions?

8/10/2019 Adequate Security

7/18

Security Strategy Questions

How to manage residualrisks?

Residual risk is risk remainingafter mitigation taken

8/10/2019 Adequate Security

8/18

8/10/2019 Adequate Security

9/18

Organizational Character

Market Sector Character

8/10/2019 Adequate Security

10/18

Characteristics to Consider

Organization Characteristics

Size (employees, customers,physical locations)

Complexity (organizational units,products, services, processes,systems)

Value & criticality of intellectualprop. Information stored ortransmitted digitally.

Dependences on IT Systems,impact of systems downtime.

8/10/2019 Adequate Security

11/18

Characteristics to Consider

Market Sector Characteristics

Potential impact to criticalinfrastructure

Customer sensitivity to andexpectation for security & privacy

Potential brand and reputation

damage.

Cust. ability & likelihood toswitch to a competitor

8/10/2019 Adequate Security

12/18

Defining dequate Security

The condition where the protection and sustainabilitystrategies for an organization's critical assets andbusiness processes are commensurate with the

organization's tolerance for risk.

The condition where the protection and sustainabilitystrategies for an organization's critical assets andbusiness processes are commensurate with the

organization's tolerance for risk.

8/10/2019 Adequate Security

13/18

8/10/2019 Adequate Security

14/18

Defining dequate Security

The condition where the protection and sustainabilitystrategies for an organization's critical assets andbusiness processes are commensurate with the

organization's tolerance for risk.

Information(enterprise strategy &plans, customer data)

Infrastructure(supporting fasilities &

utilities)

People (keypersonsel with unique

knowledge & skills)

Brand, image &reputation

Criticalassets

8/10/2019 Adequate Security

15/18

Defining dequate Security

The condition where the protection and sustainabilitystrategies for an organization's critical assets andbusiness processes are commensurate with the

organization's tolerance for risk.

Products & services Financial management& reporting

Relationships to 3 rdparty CRM

BusinessProcesses that

create:

8/10/2019 Adequate Security

16/18

Determining dequate Security

Critical assets and business processes thatsupport achieving our organizational goals?

Under what conditions and with whatlikelihood are assets and processes at risk?

What mitigating actions do we need to takeand with what priority?

what protection strategies do we need to putin place? Cost/benefit analysis

How well are we managing our security statetoday?

8/10/2019 Adequate Security

17/18

Conclusion

The level of adequate security is changingrelated to risk tolerance will be taken.

Achieving adequate security is continuousprocess

What mitigating actions do we need to takeand with what priority?

Planning process for monitor, review & update anorganization's security state must be part of day to day businessconduct

8/10/2019 Adequate Security

18/18

Thank you