Risk on Security Investment Report

Table of Contents

INTRODUCTION..........................................................................................................................................................................4

SEAGOVIA ORGANIZATIONAL INFORMATION...............................................................................................................5

SECURITY TECHNOLOGIES FOR ROSI ANALYSIS..........................................................................................................5

ANTIVIRUS SOFTWARE...........................................................................................................................................................6

INTRUSION DETECTION SYSTEM.........................................................................................................................................8

SACL and DACL.........................................................................................................................................................................10

VIRTURAL PRIVATE NETWORK.........................................................................................................................................12

BACK-UP SOFTWARE..............................................................................................................................................................15

BIOMETRIC................................................................................................................................................................................17

SSL VPN Cryptography..............................................................................................................................................................18

SECURE EMAIL.........................................................................................................................................................................20

ACTIVE DIRECTORY...............................................................................................................................................................22

SELF ENCRYPTING DRIVE....................................................................................................................................................24

CONFIGURATION/PATCH MANAGEMENT.......................................................................................................................26

REFERENCES.............................................................................................................................................................................28

2 Return on Security Investment

INTRODUCTION

Return on investment (ROSI) can be interpreted as: [1]

ROSI = (Mitigated Risk – Cost) / CostHere we analyze an investment in information security, and hence we do not seek to increase in

income, but instead a mitigation of the given risk to which the business process will be exposed

[1] to and which in turn will affect the entire investment structure.

ROSI represents the investment in terms of the most appropriate “Risk Level” that the

organization, in this case Seagovia is ready to assume. We aim to reach to what is called an

“appropriate solution” because in the case of the level of information security, it is highly likely

to have a 100% solution level.

Points of Focus while Calculating ROSIFollowing are the two points of focus we need to follow while determining ROSI.

a. What is the “solution cost” range that represents the options from which we can

choose our “Acceptance Level”?

b. At what point in the calculations (“ROSI =0”) do the solutions start being

counterproductive when costs exceed business benefits?

Our strategy of calculating the ROSI can be viewed from different angles:

a. Qualitative View: Based on assumptions. It is based on heightened level of subjectivity

and does not prove useful to justify investments before higher management levels.

b. Statistical View:This serves as a kick off for an advanced information security

development to deal with events during the determining of ROSI. This model’s

development takes about four-to-eight weeks. Its subjectivity depends upon the

organization, its complexity and the level of business process being taken into

consideration.


c. Probabilistic View:Most precise method for calculating ROSI. The model is specific.

Development of this model can take up to eight-to-twelve weeks because of its

complexity. This model allows us to analyze the financial and strategic planning

departments within the organization. Hence, the degree of accurateness is higher.

SEAGOVIA ORGANIZATIONAL INFORMATION

CATEGORYLaptops 222Laptops with Top Secret Information 151Desktops 321Servers 16Database Server 2Backup USB Drives 70Number of Mobiles 400Blackberry Mobiles 231

EmployeesNumber of Employees 650Employees handling top secret information 29

Lifespan of Technology SolutionSolution Deployment 3 yearsMaintenance Every monthFatal Failure Recovery 1 Month (2 IT Labors)

Money (USD)Annual Revenue $ 5 MillionInstallation Cost Based on Specific SolutionMaintenance Cost $100/day/person (Standard) One Vender

deals with maintenance of Seagovia’s Software and Hardware.


NOTE: ANY LOSS OF INFORMATION IS DIRECTLY PROPORTIONAL TO ANNUAL REVENUE

SECURITY TECHNOLOGIES FOR ROSI ANALYSIS

Following is the list of Technologies Next Community Consultants have formulated and analyzed for calculating Return on Security Investment:


Below we provide an estimation of the cost, return and benefits Seagovia would have if they invest in the given technologies.

ANTIVIRUS SOFTWARE

Product Name:Norton AntivirusProduct Usage:Used for protecting Seagovia Information System from trojans, worms, virus, malware, etc.Product Lifespan: 1 Year (license version can be revised)

Scope of ProtectionEffectivenessEase of InstallationEase of UseFeaturesUpdatesHelp & Support

FINANCIAL EXPENDITURE

INVESTMENT

Excellent Very Good Good Fair Poor


Price Number SubtotalRaw Equipment Cost

$1000 5 Admins $5000

Installation (1 day) $50 5 IT Staff $250Maintenance/month $0 $0Upgrade $0 $0Subtotal Investment ~ $5250

COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect

2%*$5.0*106 $100,000

Waste of Human Labor

$100 8 staff $800

Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,800

OVERALL SUMMARYTotal Return on Investment $445,250

IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS

3 ON A SCALE OF 4 HIGH THREAT RISK

INTRUSION DETECTION SYSTEM

Product Name:Check Point RealSecureProduct Usage: Used for protecting Seagovia Information System.Product Lifespan: 1 Year (license version can be revised)

1234


Unobtrusively analyzes packets of information as they travel across your enterprise network. It recognizes a wide variety of traffic patterns that indicate hostile activity or misuse of network resources, including network attacks and malicious Java™ and ActiveX™ applets. The RealSecure attack recognition engine immediately alerts network managers and administrators of any suspicious activity, logs the session, and can automatically terminate the connection. Events are classified and summarized in order of priority, enabling you to assess conditions at a glance. You can play back sessions at any time for further evaluation or for use as criminal evidence [6].

INVESTMENTPrice Number Subtotal

Raw Equipment Cost( 32 users with 1 year Total Security)

$1600/bundle 5 Admins $25,000

Installation (1 day) $100/person 5 IT Staff $1500Maintenance $2000 5 IT Staff $10000Upgrade $50 $50Subtotal Investment ~ $36,550


2%*$5.0*106 $100,000


$100 15 staff $1500




EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY

IDS is one the most important software Seagovia should invest into. Firstly to protect you network, IDS generates alarms when it detects any kind of intrusive activity on the network. The mechanism triggers an alarm of two kinds:a. Anomaly Detection- For detecting insider attacks or account thefts. b. Misuse Detection- With signature database for every user, any misuse will be monitored right away. Also, apart from the network triggering mechanism, the software also makes sure of detecting any strange activity in the specific spots on:a. Host Side- Success or failure of an attack is easy to be determined. b. Network Side- Able to see where the attach is taking place and how much of network has the attack effected.



1234


SACL and DACL

Product Name: Windows SACL and DACL SystemProduct Usage: Types of Access Control Lists (ACL) for providing system wide auditing and logging facilities. Product Lifespan: Same as Windows License

EXPENSES TO INSTALL


Raw Equipment Cost

$1000 16 servers $16,000

Installation (1 day) $200/person 10 IT Staff $2000Maintenance $100/month 16 Servers $19,200Upgrade $0 $0Subtotal Investment ~ $37,250


2%*$5.0*106 $100,000


$100 30 staff $3000




EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYNot having the above technology will increase the chances of system of network security breaches, and also not be able to determine the extent and location of network damage. For Seagovia such a risk is really high because highly confidential information is kept in the system. If such information is leaked out and the source cannot be determined, then it is a major threat to national security. This will also increase the time exponentially to locate the epicenter of the problem and also the time related to rectify it, further causing delay and increasing the threat connected to it.



VIRTURAL PRIVATE NETWORK

Product Name: CISCO VPNProduct Usage: Security through encryption and authentication technologies that protect data from unauthorized access and attacks.Product Lifespan:2 Years (license version can be revised)

1234



EXPENSES TO INSTALL


Raw Equipment Cost *

$90,000

Upgrade $100 $100Subtotal Investment ~ $90,100


2%*$5.0*106 $100,000


$100 30 staff $3000



* The software cost included the following for all 500 machines1

1. SBC Vendor Managed RLAN2. SBC DSL, VPN (User Managed)3. Router Cost4. Handling, Configuration Cost5. Circuit Installation, project coordination cost6. User Managed VPN7. Remote Access IT Employees (labor) + 1 engineer + 2 consultants

** The cost increases when Seagovia adds more machines @ 10% each year.

1Source: Cisco VPN Client Brings Flexibility and Cost Reduction to Cisco Remote Access Solution


EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYThe main advantages a secure VPN provides is cost savings and network scalability. The use of such a network will help Seagovia protect their data, increase the bandwidth and efficiency of the network. Having this technology will allow data to be transferred safely through a tunneling protocol and security procedures. Whereas, not having a secure VPN would not allow Seagovia employees to send data safely and open the doors to packet sniffing. If such a thing happens, again a lot of national secured data would be on the loose, resulting in a major disaster.



1234


BACK-UP SOFTWARE

Product Name: Nova BackupProduct Usage:Required for providing a back-up to all the stored information at SeagoviaProduct Lifespan: 2 Years (license version can be revised)

Feature Set

Ease of Use

Backup/Restore

Help/Documentation



Raw Equipment Cost

$45 5 Admins $225

Installation (1 day) $50/person 5 IT Staff $250Maintenance $1200 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $6,525


2%*$5.0*106 $100,000


$100 5 staff $500



EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY

Excellent Very Good Good Fair Poor


A back-up software helps users maintain the data they have. Seagovia stores a lot of information which is highly classified and prone to attacks (leaks). Also, there can be certain incidents where someone (insider or outsider) might successfully erase the data stores. So, it is suggested to have a back-up of the entire data at Seagovia by secure software. This way, if incase if the data is erased, a back-up would be a hand and would save a lot of time and effort involved in retrieving the data.



BIOMETRIC

Product Name: Aware, Inc. Fingerprint ReadersProduct Usage:•Fingerprint and facial image auto-capture • Image QA and compliance assurance • Certified 1:1 fingerprint matching • Standard-compliant data formatting and validation • Service-oriented workflow server platform Product Lifespan: 2 Years (license version can be revised)



1234


Raw Equipment Cost

$800($700 Software$100 Reader)

16Servers649 Machines10 Sensitive Office Rooms

$12,800$64,900$1000

$65,900Installation (1 day) $100 5 IT Staff $500Maintenance $100 15 Servers $18,000Upgrade $50 $50Subtotal Investment ~ $84,400


2%*$5.0*106 $100,000


$200 10 staff $2000



*We assume that 10% of the machines contain sensitive data that only admin or an employee with high level clearance can access it.

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYInsecure authorization in banking or high-intelligence organizations can be catastrophic with loss of money, confidential information and compromised data integrity. The above technology provides a sure shot way to prevent any unauthorized individual to get access to an unauthorized place. The above technology cannot be shared or copied, as It is extremely difficult to duplicate any individuals identity in terms of eyes, face or finger prints. Hence, this way only special (high level) employees can gain access to special information centers, thereby reducing the risk of information getting out of the organization premises. The rest depends on Seagovia to allocate biometrics to as many employees as it wants.




SSL VPN Cryptography

Product Name: OvisGate SSL VPNProduct Usage:A VPN Software that utilizes SSL technology, giving you the ability to easily access a foreign network (e.g. workplace, home, school, etc.) from the web browser [10].Product Lifespan: 2 Years (license version can be revised)


1234



Raw Equipment Cost

$1000 5 Admins $5000

Installation (1 day) $100/person 10 IT Staff $1000Maintenance $100/month 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $12,050


2%*$5.0*106 $100,000


$100 5 staff $500



EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYVPN allows remote users to securely access corporate information from safe locations. The above technology allows Seagovia users to access highly confidential information from safe places so that such information is not accessible to all. This way Seagovia can ensure that only highly classified employees get to share information which otherwise is not required to be accessed by lower level employees within Seagovia. The catch in using this technology is that Seagovia can easily setup secure Extranet for its employees while transmitting information. This way the authentication and encryption on the network will not allow external users (insiders and outsiders) to breach it.



1234


SECURE EMAIL

Product Name: ZSentryProduct Usage:Secure email serviceProduct Lifespan: 1 Years (license version can be revised)



Raw Equipment Cost

$80 16 Servers $1,280

Installation (1 day) $100/person 5 IT Staff $500Maintenance $100/month 15 Servers $18000Upgrade $50 $50Subtotal Investment ~ $19,830


2%*$5.0*106 $100,000


$100 5 staff $500



EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYThis technology is used for maintaining a secured email service within any organization. Its main use is to ensure that any information shared via email is secured. It uses a secure loginuses authentication, encryption and proven anti-phishing solution.sign, encrypt and send service. Hence if Seagovia incorporates and invests in this technology it will save them the time and effort to protect their mails, share classified information without having the concern of information getting across to wrong parties. Also, it will help in sharing confidential bank records between various individuals keeping external identities off record. All this saves time and effort involved if any leak of information takes place through email. The probability of information breach through email is not high, but since Seagovia deals in National Information, it is important to not to leave any corner un-attended.




ACTIVE DIRECTORY

Product Name: Active Directory Service by MSProduct Usage:Product Lifespan: 1 Years (license version can be revised)

FINANCIAL EXPENDITURE[12]


Raw Equipment Cost

$1000 5 Admins $5000

Installation (1 day) $50 5 IT Staff $250Maintenance $100 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $11,300

COST SAVINGSLoss of Data 3%*$5.0*106 $150,000

1234


Loss of customer prospect

2%*$5.0*106 $100,000


$100 5 staff $500



EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYFollowing are the advantages Active Directory Offers:1. Full integrated security in the form of user login’s and cryptographic information.2. Easy to administer the group policies and permissions.3. Easy to provide scalability, flexibility and extendibility in during data up-gradation. 4. Supports integration of other directory services also.5. Supports multiple authentication protocols. All the above factors show that data security is a major thing to control. At Seagovia, national data is stored and has to be protected in from breach. The cost associated with it is catastrophic and cannot be calculated. The only solution our consulting team suggest is to adopt this technology.




SELF ENCRYPTING DRIVE

Product Name: Seagate Momentus FDE Self Encrypting DriveProduct Lifespan: 1 Years (license version can be revised)

1234




Raw Equipment Cost

$130* 500 $65,000

Maintenance $0 $0Upgrade $50 $50Subtotal Investment ~ $65,050


2%*$5.0*106 $100,000


$100 5 staff $500



*Including Installation Cost

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYWe already suggested a cryptography software for your organization’s information systems. But we found another area of concern. All the employees within Seagovia have to submit their data to the cryptography software to enable data protection. For all the data excluding the encrypted data (user’s own data on his machine) is also vulnerable for breach or information theft. Hence, we advice a self encrypting hard drive to make sure that all data present in the user’s machine is encrypted automatically as the user stores data in it. Hence we also close the gates for security breach through this channel. Bank accounts, usernames, passwords, etc will also be encrypted and they key to all that data would be only with the user of the machine.




CONFIGURATION/PATCH MANAGEMENT

Product Name: GFI Languard Product Usage:GFI LANguard is a complete network vulnerability management solution that allows you to scan, detect, assess and remediate security vulnerabilities and provides patch management functionality [14].Product Lifespan: 1 Years (license version can be revised)


1234



Raw Equipment Cost

$380* 5 Admins $1900

Installation (1 day) $100/person 5 IT Staff $500Maintenance $100 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $8,450


2%*$5.0*106 $100,000


$100 5 staff $500



*Including 2 year maintenance.

EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYPatch management software automatically protects the integrity of data. With the above mentioned technology- deployment of patches to ISA servers machines,allowing administrator to specify required updates, data migration and export/import features, reporting capabilities to allow administrator to monitor updated network activity, etc are easily implementable. All these above advantages add a layer of protection to the update activity within the network. Since out previous advised technologies are keeping a track of all the updates occurring within the network, this technology enables the administrator to monitor and implement updates which are required for the network. There can be instances where a patch update might be a kind of a breach. So to ensure that all is monitored correctly, this technology provides the much needed admin facilities required to protect the data.




REFERENCES

1. Return on Security Investment- Interpreting ROSIhttp://blogs.globalcrossing.com/?q=content/rosi-return-security-investment

2. Office Informationhttp://en.wikipedia.org/wiki/Prime_Minister's_Office_(Singapore)

3. Salaries of Government Employeeshttp://www.payscale.com/research/US/People_Employed_by_the_Government/Salary

4. Antivirus Softwarehttp://anti-virus-software-review.toptenreviews.com/ppc-index.html?cmpid=4637

5. Antivirus Software Installationhttp://www.brokelyn.com/computer-repair-in-brooklyn/http://www.answers.com/license+renewal+fee+of+antivirus+software

6. Intrusion Detection Systemhttp://www.timberlinetechnologies.com/products/intrusiondtct.htmlhttp://www.ciscopress.com/articles/article.asp?p=25334

7. CISCO VPN Costhttp://www.cisco.com/global/EMEA/ciscoitatwork/pdf/it-at-work-cisco-access-vpn.pdf

1234

http://www.cisco.com/global/EMEA/ciscoitatwork/pdf/it-at-work-cisco-access-vpn.pdf

http://www.ciscopress.com/articles/article.asp?p=25334

http://www.timberlinetechnologies.com/products/intrusiondtct.html

http://www.answers.com/license+renewal+fee+of+antivirus+software

http://www.brokelyn.com/computer-repair-in-brooklyn/

http://anti-virus-software-review.toptenreviews.com/ppc-index.html?cmpid=4637

http://www.payscale.com/research/US/People_Employed_by_the_Government/Salary

http://en.wikipedia.org/wiki/Prime_Minister's_Office_(Singapore)

http://blogs.globalcrossing.com/?q=content/rosi-return-security-investment


8. Back-up Softwarehttp://data-backup-software-review.toptenreviews.com/

9. Biometrichttp://www.findbiometrics.com/middleware-software/

10. SSL VPNhttp://www.ovislink.com/newovislink/products/VPN/SSL/SSL.asphttp://download.cnet.com/OvisGate-SSL-VPN-Server/3000-7240_4-10294896.html

11. ZSentryhttp://zsentry.com/how_zmail.htm

12. Active Directory License Costhttp://www.jijitechnologies.com/jiji-active-directory-reports-reporting-tools-adr-pricing.aspx

13. Self Encrypting Drivehttp://www.seagate.com/staticfiles/support/sedqual/MB595_1_0905US_SelfQual.pdf

14. Patch management Softwarehttp://www.windowsecurity.com/software/Patch-Management/http://www.gfi.com/whitepapers/patch-management.pdf

http://www.gfi.com/whitepapers/patch-management.pdf

http://www.windowsecurity.com/software/Patch-Management/

http://www.seagate.com/staticfiles/support/sedqual/MB595_1_0905US_SelfQual.pdf

http://www.jijitechnologies.com/jiji-active-directory-reports-reporting-tools-adr-pricing.aspx

http://zsentry.com/how_zmail.htm

http://download.cnet.com/OvisGate-SSL-VPN-Server/3000-7240_4-10294896.html

http://www.ovislink.com/newovislink/products/VPN/SSL/SSL.asp

http://www.findbiometrics.com/middleware-software/

http://data-backup-software-review.toptenreviews.com/

Documents

Risk on Security Investment Report