Categories
Compliance|Information Security|Research

Budgeting For Security

Security budgeting is a layered approach

Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts?

Cover the Basics first

Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider:

  1. Review your security policy
  2. Ensure security patches are up to date, for all hardware/software
  3. Make sure all of your devices are running AV software and are up to date
  4. Review your password policy for weak passwords
  5. Encrypt all portable devices
  6. Provide security training for end users, and IT staff
  7. Regularly review your Firewall/IDS rules
  8. Follow best practices for remote access/VPN solutions
  9. A monitoring/logging solution should be in place

Budget Considerations

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses. If you do not have the in-house expertise available, you may need to rely on outside assistance. Some items to consider:

  1. Formalized development of security policies and procedures
  2. Security monitoring or outsourced assistance
  3. Vulnerability and penetration testing
  4. Third party inspection
  5. Multifactor Authentication
  6. Mobile Device Security/Management
  7. Internet controls/restrictions
  8. Secure Large File transfer methods
  9. NAC
  10. Wireless security
  11. Data Loss Prevention
  12. Incident response/tracking
  13. Backups/DR/Business Continuity

Studies have shown that a good overall security posture will reduce the overall cost of a security breach.