[SoCoSA/discuss] Making a business case (was Re: Sys Admin group
forming)
Susan Baur
susan at cdl.edu
Mon Jan 23 08:20:07 PST 2006
On Jan 20, 2006, at 9:52 PM, Steve S. wrote:
> I could certainly use some "soft skills" -- I *am* the "IT
> department" in my new
> job (they had been going with a mix of a couple of semi-techie
> people in-house
> (who each had other, full-time jobs) plus an outside contractor at
> need, about
> once per month). Now, I'm trying to figure out how to pitch "doing
> it the right
> way" things -- I dread what a decent security-audit will find, but I'm
> getting the
> tools together to perform one anyhow... *BUT* my preliminary
> "feelers" on this
> topic to my new boss indicate a "talk a good game, but don't commit
> resources"
> attitude, i.e. "I'm certainly in favor of security" but implementing
> any sort of packet-
> examination tools -- even port/protocol logs via fee/cheap tools is
> gonna take a
> big-ass ol' "business case" analysis, if you'll pardon my
> French. :-(
>
> How to present that sort of thing to mgmt would be VERY appreciated
> over here!
Hi Steve,
Just saw this last week on the SANS NewsBites list. Thought it might
be a
place to start building your business case from.
From SANS NewsBites Vol. 8 Num. 6
> --Privacy Rights Clearinghouse List of Data Security Breaches
> (17 January 2006)
> The Privacy Rights Clearing house has compiled a list of known data
> security breaches that have occurred since ChoicePoint's data breach
> acknowledgment on February 15, 2005. The list includes the dates the
> breaches were reported, the names of the institutions, the types of
> breach and the number of individuals affected in each breach.
> http://www.privacyrights.org/ar/ChronDataBreaches.htm
> [Editor's Note (Schultz): The soon to be released list of known data
> security breaches is much too long for comfort. The fact that suitable
> legislation designed to reduce such breaches has not yet been
> passed in
> the US only exacerbates concerns about failure to adequately protect
> personal and financial information.
> (Honan): This information could be the most valuable metric to put in
> front of your senior management when trying to justify budget spend
> for
> security measures. It is certainly a strong argument against the "it
> could never happen to us" mentality. Interestingly, the figures show
> that of the total 52 million identities that were compromised, 40
> million were exposed due to the CardSystems debacle in June. Of the
> remaining 12 million breaches, approximately 7.25 million were exposed
> on lost mobile media such as laptops and backup tapes.]
Also, don't forget to point out California's disclosure laws as they
relate
to security breaches and personal information. I don't know how large
your
place is, but perhaps an estimate of what it would cost to send a
mailing
to every customer and every employee, former employee and contractor
letting them know that there'd been a breach, combined with a
conservative
estimate of how much damage it would do to your business' name, and I
think
you should be able to get funding to start down the "Do it Right" path.
Hope this helps,
Susan
More information about the discuss
mailing list