Acquisition Costs
These costs comprise the software, hardware, or services related to a
proposed new control. Some controls may have no acquisition costs — for example,
implementing a new control may merely involve enabling a previously unused
feature on a piece of network hardware that the organization is already using.
Other controls may require the purchase of new technologies such as distributed
firewall software or dedicated firewall hardware with application layer
filtering capabilities. Some controls may not require the purchase of anything
but rather the hiring of a third-party organization. For example, an
organization might hire another firm to provide it with a block list of known
spammers that is updated daily so that it can tie the list into its spam filters
already installed on mail servers in the organization. There may be other
controls that the organization chooses to develop itself; all of the costs
relating to designing, developing, and testing the controls would be part of an
organization's acquisition costs.
Implementation Costs
These expenditures relate to staff or consultants who will install and
configure the proposed new control. Some controls may require a large team to
specify, design, test, and deploy properly. Alternatively, a knowledgeable
systems administrator could disable a few unused system services on all desktop
and mobile computers in only a few minutes if the organization already has
enterprise management tools deployed.
Ongoing Costs
These costs relate to continuing activities associated with the new control,
such as management, monitoring, and maintenance. They may seem particularly hard
to estimate, so try to think of them in terms how many people will need to be
involved and how much time each week (or month or year) will need to be spent on
these tasks. Consider a robust, distributed network-based intrusion detection
system for a large corporation with offices on four continents. Such a system
would require people to monitor the system 24 hours a day, every day, and those
people would have to be able to interpret and effectively respond to alerts. It
might require eight or ten or even more full-time employees for the organization
to fully realize the potential of this complex control.
Communication Costs
This expenditure is related to communicating new policies or procedures to
users. For an organization with a few hundred employees that is installing
electronic locks for its server room, a few e-mails sent to the IT staff and
senior managers might be sufficient. But any organization deploying smart cards,
for example, will require a lot of communication before, during, and after the
distribution of smart cards and readers, because users will have to learn a
whole new way of logging on to their computers and will undoubtedly encounter a
wide range of new or unexpected situations.
Training Costs for IT Staff
These costs are associated with the IT staff that would need to implement,
manage, monitor, and maintain the new control. Consider the previous example of
an organization that has decided to deploy smart cards. Various teams within the
IT organization will have different responsibilities and, therefore, require
different types of training. Help desk staff will have to know how to help end
users overcome common problems such as damaged cards or readers and forgotten
PINs. Desktop support staff will have to know how to install, troubleshoot,
diagnose, and replace the smart card readers. A team within the IT organization,
one within the human resources department, or perhaps one within the
organization's physical security department will have to be responsible for
provisioning new and replacement cards and retrieving cards from departing
employees.
Training Costs for Users
This expenditure is related to users who would have to incorporate new
behavior in order to work with the new control. In the smart card scenario
referenced previously, all users will have to understand how to use the smart
cards and readers, and they will also have to understand how to properly care
for the cards, because most designs are more sensitive to physical extremes than
credit cards or bank cards.
Costs to Productivity and Convenience
These expenditures are associated with users whose work would be impacted by
the new control. In the smart card scenario, you might assume that things would
be easier for an organization after the early weeks and months of deploying the
cards and readers and helping users overcome their initial problems. But for
most organizations, that would not be the case. Many will find that their
existing applications are not compatible with smart cards, for example. In some
cases this may not matter, but what about the tools that the human resources
department uses to manage confidential employee information? Or the customer
relationship management software used throughout the organization to track
important data for all customers?
If critical business applications like these are not compatible with smart
cards and are configured to require user authentication, the organization may be
faced with some difficult choices. It could upgrade the software, which would
require even more costs in terms of new licenses, deployment, and training. Or
it could disable the authentication features, but that would lower security
significantly. It could, alternatively, require users to enter user names and
passwords when accessing these applications, but then users would once again
have to remember passwords, undermining one of the key benefits of smart cards.
Costs for Auditing and Verifying Effectiveness
An organization would incur these expenditures after implementing the
proposed new control. Examples of questions that you can ask to further define
these costs include:
- How will it ensure that the control is actually doing what it was
supposed to do?
- Will some members of the IT organization perform penetration testing?
- Will they try running samples of malicious code against the asset that
the control is supposed to protect?
- After the effectiveness of the control has been validated, how will the
organization verify that the control is still in place, on an ongoing basis?
The organization must be able to prove that nobody has accidentally or
maliciously modified or disable the control, and it must determine who will be
charged with the verification of this. For extremely sensitive assets it may be
necessary to have more than one person validate the results.
Woodgrove Example: In Tables 5.3 and 5.4, below, the Mitigation Owners
determined costs for the risks. Record the cost estimates for each proposed
control in the "Cost of Control Description" column in SRMGTool3_Detailed Level
Risk Prioritization.xls.
Table 5.3 Costs for Implementing Smart Cards for VPN and
Admin Access
| Category |
Notes |
Estimates |
| Acquisition Costs |
The cost per smart card is $15, and the cost per
reader is also $15. Only 10,000 of the bank's employees require
virtual private networking (VPN) or administrative access, so the
total cost for cards and readers would be $300,000. |
$300,000 |
| Implementation Costs |
The bank would hire a consulting firm to help it
implement the solution at a cost of $750,000. There would still be
significant costs for the time invested by the bank's own employees,
though: $150,000. |
$900,000 |
| Communication Costs |
The bank already has several established methods of
communicating news to employees such as printed newsletters,
internal Web sites, and e-mail mailing lists, so the costs of
communicating the smart card deployment would not be substantial. |
$50,000 |
| Training Costs for IT Staff |
The bank would use the same consulting organization
to train the IT staff that would help with the implementation; the
cost would be $10,000. Most members of the IT staff would miss 4 to
8 hours of work time, for an estimated overall cost of $80,000. |
$90,000 |
| Training Costs for Users |
The bank would use Web-based training from the smart
card vendor for teaching employees how to use the smart cards; cost
is included in the price of the hardware. Each of the bank's
employees would spend about an hour taking the training, for an
overall cost of lost productivity of about $300,000. |
$300,000 |
| Costs to Productivity and Convenience |
The bank assumes that the average user will miss
about an hour of productivity and that one out of four will call the
Help desk for assistance with their smart cards. The cost of lost
productivity would be $300,000, and the expense of support calls to
the Help desk would be $100,000. |
$400,000 |
| Costs for Auditing and Verifying Effectiveness |
The Security Risk Management Team believes that it
can periodically audit and verify the effectiveness of the new
control at a cost of $50,000 for the first year. |
$50,000 |
| Total |
|
$2,090,000 |
Table 5.4 Costs for Implementing Smart Cards for Local
Access
| Category |
Notes |
Estimates |
| Acquisition Costs |
The cost per smart card is $15, and the cost per reader
is also $15. Because all 15,000 bank employees would require local
access, the total cost for cards and readers would be $450,000. The bank
would also have to upgrade or replace many business applications at a
substantial cost: $1,500,000. |
$1,950,000 |
| Implementation Costs |
The bank would hire a consulting firm to help it
implement the solution at a cost of $750,000. There would still be
significant costs for the time invested by the bank's own employees,
though: $150,000 |
$900,000 |
| Communication Costs |
The bank already has several established methods of
communicating news to employees such as printed newsletters, internal
Web sites, and e-mail mailing lists, so the costs of communicating the
smart card deployment would not be substantial. |
$50,000 |
| Training Costs for IT Staff |
The bank would use the same consulting organization to
train the IT staff that would help with the implementation; the cost
would be $10,000. Most members of the IT staff would miss 4 to 8 hours
of work time, for an estimated overall cost of $80,000. |
$90,000 |
| Training Costs for Users |
The bank would use Web-based training from the smart
card vendor for teaching employees how to use the smart cards; cost is
included in the price of the hardware. Each of the bank's employees
would spend about an hour taking the training, for an overall cost of
lost productivity of about $450,000. |
$450,000 |
| Costs to Productivity and Convenience |
The bank assumes that the average user will miss about
an hour of productivity and that one out of four will call the Help desk
for assistance with their smart cards. The cost of lost productivity
would be $450,000, and the expense of support calls to the Help desk
would be $150,000. |
$600,000 |
| Costs for Auditing and Verifying Effectiveness |
The Security Risk Management Team believes that it can
periodically audit and verify the effectiveness of the new control at a
cost of $150,000 for the first year. |
$150,000 |
| Total |
|
$4,190,000 |
|
Call Now : 800-519-
2267
|
Testimonials
|
If you're serious about getting certified,
this is the place to go. Definitely worth
their competitive price. Excellent
instructors, making it possible for anyone
to learn no matter what your level of
experience or knowledge.
Michael Doty
|
 |
|
No Prestudy