In this video, Kip Boyle discusses budgetary concerns for any successful information security program. Learn how to estimate costs to manage top risks.
- At this point, you have a list of specific suggestions for reducing your top risks down to an acceptable level. Now, we need to figure out what your proposals are going to cost. The first step is to break down each option you created into a series of smaller, more manageable pieces of work. Ask yourself, "What are the people, processes, technologies, "and management components to this change?" Previously, we saw how we asked ourselves this question when we came up with specific change ideas, so you should be able to build on your prior work.
As you price out each piece, start by making your own estimates, then talk with experts in each area to refine your estimates. Use this experience to build up your own sense of what things actually cost, so next year you'll have an easier time. Let's take an initial pass at identifying the cost factors for our number three risk, Security Continuous Monitoring. There are eight controls in that activity area, and in this example, five of those eight scored below a five.
Following the steps previously outlined, we determined that implementing quarterly network vulnerability scans would reduce our number three risk. Here's the analysis we did to determine the cost components. In the management area, we'll need a written and approved policy requiring the scanning, and we'll need a one-time project budget to implement the scanning. Plus, we'll need an annually recurring budget to do the scanning every quarter throughout the year. Now in the process area, we'll need a way to reliably do the scans every quarter, and make sure the scan results are evaluated by the right people the right way, at the right times.
After scanning, recommendations will need to be brought to management for a decision, and the approved decisions will need to be implemented. In the technology area, if we decide to do the scanning ourselves, we'll need to find, buy, and implement the right scanning tools, and we need to purchase ongoing support and maintenance contracts. Finally, in the people area, we'll need some hours for a subject matter expert to write the technology requirements. Someone will need to find the right tools or service provider to do the scans.
We'll need a business analyst to create the processes and get management approval. Then we'll need to train people to use the scan tools and interpret the technical reports. To summarize, the cost components would be, the total hours for peoples' time multiplied by their hourly rate, and enough cash to purchase scanning tools and services. Note that some of these costs will be associated with a one-time project, while other costs will be ongoing once the project wraps up.
Finally, ask your boss if your organization has a standard proposal template for recording these costs. If not, a quick internet search should reveal a useful template.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance