How Secure is Secure Enough?

Information security is critical, and that’s why it’s important to have a good plan in place. But how do you know if your information security plans are too big, too small or just right?

In an article on the ComputerWorld website, Jaikumar Vijayan looks at five steps security professionals can take to help them decide if their plans are comprehensive – without going overboard.

Vijayan says most people in the information security industry have long asked how secure is secure enough, but with today’s economy putting the squeeze on IT budgets, it’s now more important than ever to justify every dollar spent on security.

“Answering the question with any degree of accuracy involves art and luck as much as it does science, say security managers,” Vijayan writes. “But by adopting the right approaches, it is possible to arrive at a better answer than some might expect, they say.”

What are the five steps that can help you determine whether your company is secure enough? According to the article, they are:

1. Decide how secure you want to be. Determine how much disruption your business is willing to endure and how long critical systems can be down.
2. Get a handle on asset value. Determine the probability of that threat actually being exploited in your environment, the value of the assets that are the targets of the threat and the likely effect on your business.
3. Implement a control framework. Choose the most appropriate set of technology, management and process controls to help you get and stay where you want to be.
4. Measure everything. Use metrics to ensure compliance with control objectives.
5. Monitor all controls. Test, monitor and validate the security controls you are using.

To read the full article, click here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&pageNumber=1