Determine Return on Investment (ROI)

Determine Revenue and Revenue Loss

The first step is to determine the typical revenue produced in one normal business day. This allows you to show what a worst case scenario of complete loss of business functions would be, upon which you can begin determining more long- term effects of business failure. Another important area to consider is if there are fines associated with failure of business activities. If your company has a contract to provide services to another company or individual, do you have an associated fine or deduction when your service doesn t meet predetermined metrics? Are there governmental fines associated with failure to deliver goods or services that could be levied for failure of business delivery? Has a similar company in your industry faced an information security incident? If so, what were the costs of the incident? The costs associated with business interruption or failure could be of tremendous impact, even causing severe degradation of business revenue. If you are a business in the government sector, you must consider the ramifications of potential fines or investigations by government oversight committees and the costs associated with those activities. Government and business entities must consider the impact of incidents on operating budgets and future budgets / revenues .

A good way to determine return on investment (or return on security investment) is to use some previous examples of security issues that caused downtime or business disruption and compare the cost of the downtime to that of the mitigation solution. For example, the fictional company ACME Sprockets has an application called Sprocket Tracker. If the Sprocket Tracker application went offline for 30 minutes, it could directly cost the company $10,000. Using that figure, you can reasonably estimate that in an average business day, you could lose $160,000. This was determined by figuring out the average work hours in a business day, dividing by 2 and then multiplying by $10,000 (average loss per 30 minutes). These are the types of calculations you will need so that you can provide management with reasonable information on potential losses associated with a security event. Figure 15-3 shows an example of determining an incident s cost for a very small company suffering a minor virus outbreak.

Figure 15-3: Sample incident cost report

Using the report shown in Figure 15-2, you can propose a possible resolution or ways to mitigate the risk and directly compare the two to show the business case for the resolution. For instance, in this case, you show how a patch management system for your Windows machines, which might cost $1,000, could reduce the damage, potentially saving the organization $5,600 per incident.

Determine Government and Industry Requirements

Other areas that can assist in the determination of return on investment and can greatly impact budget resources are governmental and industry requirements. There are many different legal requirements for security practices throughout the world, which if not properly followed can result in severe monetary penalties, censure, or even criminal penalties. Most security legislation is still in its beginning stages and many businesses have not seen penalties yet, but the provisions are available for regulatory or investigative agencies. Examples of current legislation (pending and enacted) include

• The Health Insurance Portability and Accountability Act (HIPAA), which sets provisions for how personal health information is handled, disclosed, and used. This is applicable in the United States. More information is available at http://www.hhs.gov/ocr/hipaa/.

• California SB 1386, relating to reporting of security incidents to California residents and applicable to all businesses that hold personal information on California residents. This particular legislation is seen as far reaching due to the global nature of business, and the fact that a lot of private businesses will hold information on a California citizen due to the nature of interstate and global commerce. More information is available at the California State Senate home page: http:// info .sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.

• The Gramm-Leach-Bliley Act (GLBA) or the Financial Services Modernization Act defines some guidance on information security obligations for companies in the United States and sets out requirements for the protection of consumers personal financial information. More information can be found at http://www.ftc.gov/privacy/glbact/.

• The Sarbanes-Oxley (SOX) Act of 2002 deals with accountability for public companies. Of special interest to information security professionals is section 404. Violation of the requirements set forth in this act can lead to civil and criminal penalties for executives and directly impact a security program. The basics of this legislation are that it requires certification of a company s internal controls on a yearly basis, requiring a need for the protection of your company s data. Go to http://www.sec.gov/spotlight/sarbanes-oxley.htm.

• European Union Directive 95/46 EC on the Protection of Individuals with Regards to the Processing of Personal Data, and on the free movement of such data within the European Union. This legislation concerns the protection of personal information and how that information is stored, used, and processed . Go to http://europa.eu.int/comm/internal_market/privacy/law_en.htm.

• The Personal Information Protection and Electronic Documents Act (PIPEDA) covers the collection, use, and disclosure of personal information on Canadian citizens .

  Further details on this legislation are available at http://www.privcom.gc.ca/.

Information security has become a major concern of governments and citizens, and legislation is being enacted throughout the world. The six pieces of legislation listed previously only cover a small portion of the wide- ranging information security laws and regulations that apply to business today. Contact your legal department for further clarification on what legislation applies to your company and industry based on your operating regions , what type of information and services you provide, and other factors. The legal department should also be able to define the potential penalties accrued when a company is not in compliance with these regulations. The security controls required by governmental and industrial regulations should be brought to management s attention immediately and enacted as soon as possible as these represent the most immediate security fulfillment requirements.

Determine Impact of Loss of Trust

Another area to consider when determining the return on security investment is the estimated losses from prestige or trust in the industry. If your company is a high profile or especially sensitive industry (financial, utility, and so on), the losses incurred by a publicized security incident could be far greater than the more obvious short-term losses on operations, recovery, and maintenance. You must also consider how it would affect future customers. This is particularly hard to determine because there are usually no definite future sales or revenue figures, so you must take average sales and consider what could potentially be lost due to lack of confidence in security. For instance, imagine if your company provides information systems services to a credit card processing facility and the company suffered a malicious event. How would future customers view your service offering and how much more difficult would it be for sales staff to close future deals? This is the most obscure portion to determine, but your best guess based on previous sales will have to suffice to give management a realistic expectation of the cost of loss of prestige and trust.

Gather Industry Statistics

Statistics are a great way to enhance your security expenditure and policy requests . There are many security statistics available online, as well as sites that provide industry research at a reasonable cost. Providing a hard- hitting statistic that shows management what others in the industry are saying or experiencing can sometimes be the determining factor between project approval and rejection . Use the experiences of others and the statistics they provide as an attention grabbing point in your research to prevent your company from becoming one of those statistics.

Statistics on security that will assist you in your security goals can be found in several places. You can also use statistics based on your own experiences, such as firewall logs, security incidents per quarter, or other pertinent facts as these statistics can have more impact than general reference ones. A few of the more popular sites for security statistics are

• CERT/CC (http://www.cert.org/stats/cert_stats.html)

• CSO Magazine (http://www.csoonline.com/)

• ISSA Journal (http://www.issa.org/)

• SANS (http://www.sans.org/)

• SecurityFocus (http://www.securityfocus.com/)

• ZDNet (http://itpapers.zdnet.com/)

• LinuxSecurity (http://www.linuxsecurity.com/)

• InfoSecurityMag (http://infosecuritymag.techtarget.com/)

• Linux Weekly News (http://lwn.net/security)

• Linux Today (http://linuxtoday.com/security/)

• Vendor web sites

• General use search engines such as http://www.google.com/ can provide the most up-to-date or relevant statistics.

Contract a Consultant

An uninvolved third party can provide insight from a viewpoint that you may not have previously had. They can also back up your recommendations if they are based on sound research and foresight. If you are not a security professional or if you don t have a security background, this is the favored course of action. A consultant is usually versed in management and business practices, and can articulate your recommendations in a way that conveys the urgency and need for a vigorous security program. This is not to say that a consultant is going to come to your business and rubber-stamp your proposal without providing feedback or new recommendations if yours need enhancing. A good consultant will take your research and recommendations and weigh them against industry best practices or prevalent levels of security. Most consultants will also conduct some form of audit to determine the current security posture and what level of security management desires. Having the research discussed earlier in this chapter available to the consultant will allow them to create recommendations in a timely manner, with the least disruption to staff.

Locating a good consultant can be difficult. A good place to start is by contacting your local Information Systems Security Association (http://www.issa.org/) or Information Systems Audit and Control Association (http://www.isaca.org/) and talking to chapter representatives. They will usually be able to provide some references and contact information for local security consultants. When interviewing security consultants, ask what types of certifications they hold, level of education, how long they have been doing security consulting, references from the last few customers they had, as well as if they have experience in your organization s field of business. A good consultant will be happy to provide this information, and by doing your homework on your prospective consultant, you will ensure that your company gets sound, unbiased advice.

After contracting a consultant, you should start by telling them what your objectives are and provide them with access to the information required to effectively do their job. A consultant who doesn t have enough access to resources and information will prove to be useless to your company and can actually lead to results that are detrimental. Consultants are sometimes seen as the untrustworthy outsider or competitor to many in the information technology field, so you may need to assist the consultant in their fact-finding duties .

A consultant who understands your business and needs can prove invaluable to your company s security goals and often provides the final catalyst needed to implement security mechanisms and policies.

Reference Current Industry Standards

A great place to reference your current security posture against a worldwide reference is ISO 17799 (BS 7799-2), Code of Practice for Information Security Management. This standard provides a framework that is beginning to be accepted worldwide as an information security standard. There are other industry standards available online, but ISO 17799 is rapidly becoming the de facto guideline for creating a security program that will meet the needs of most organizations. Referencing the ISO standard and using it as a guideline for your program will show management that you are utilizing tools that are in use worldwide and widely accepted as best practice in the information security industry. The ISO standards do cost money to obtain (around $250) and can be ordered at BSI Americas (http://www.bsiamericas.com/InformationSecurity/). There are other guidelines in use worldwide, even industry-specific guidelines, so you must do your research to determine what the best documentation for you will be. Some of the other guidelines for a security program or audit of a security program are

• Generally Accepted System Security Principles (GASSP), available at (http://web.mit.edu/security/www/gassp1.html).

• Generally Accepted Information Security Principles (GAISP). This is a project to rework the GASSP and move it forward. It is still a work in progress, but information about it can be found at http://www.issa.org/gaisp/.

• Commonly Accepted Security Practices and Recommendations (CASPR), available at http://www.caspr.org/ (currently inactive).

• Control Objectives for Information and Technology (COBIT), available at http://www.caspr.org/www.isaca.org/cobit.htm.

• Common Criteria, available at http://csrc.nist.gov/cc/.