Table of Contents
INTRODUCTION..........................................................................................................................................................................4
SEAGOVIA ORGANIZATIONAL INFORMATION...............................................................................................................5
SECURITY TECHNOLOGIES FOR ROSI ANALYSIS..........................................................................................................5
ANTIVIRUS SOFTWARE...........................................................................................................................................................6
INTRUSION DETECTION SYSTEM.........................................................................................................................................8
SACL and DACL.........................................................................................................................................................................10
VIRTURAL PRIVATE NETWORK.........................................................................................................................................12
BACK-UP SOFTWARE..............................................................................................................................................................15
BIOMETRIC................................................................................................................................................................................17
SSL VPN Cryptography..............................................................................................................................................................18
SECURE EMAIL.........................................................................................................................................................................20
ACTIVE DIRECTORY...............................................................................................................................................................22
SELF ENCRYPTING DRIVE....................................................................................................................................................24
CONFIGURATION/PATCH MANAGEMENT.......................................................................................................................26
REFERENCES.............................................................................................................................................................................28
2 Return on Security Investment
INTRODUCTION
Return on investment (ROSI) can be interpreted as: [1]
ROSI = (Mitigated Risk – Cost) / CostHere we analyze an investment in information security, and hence we do not seek to increase in
income, but instead a mitigation of the given risk to which the business process will be exposed
[1] to and which in turn will affect the entire investment structure.
ROSI represents the investment in terms of the most appropriate “Risk Level” that the
organization, in this case Seagovia is ready to assume. We aim to reach to what is called an
“appropriate solution” because in the case of the level of information security, it is highly likely
to have a 100% solution level.
Points of Focus while Calculating ROSIFollowing are the two points of focus we need to follow while determining ROSI.
a. What is the “solution cost” range that represents the options from which we can
choose our “Acceptance Level”?
b. At what point in the calculations (“ROSI =0”) do the solutions start being
counterproductive when costs exceed business benefits?
Our strategy of calculating the ROSI can be viewed from different angles:
a. Qualitative View: Based on assumptions. It is based on heightened level of subjectivity
and does not prove useful to justify investments before higher management levels.
b. Statistical View:This serves as a kick off for an advanced information security
development to deal with events during the determining of ROSI. This model’s
development takes about four-to-eight weeks. Its subjectivity depends upon the
organization, its complexity and the level of business process being taken into
consideration.
3 Return on Security Investment
c. Probabilistic View:Most precise method for calculating ROSI. The model is specific.
Development of this model can take up to eight-to-twelve weeks because of its
complexity. This model allows us to analyze the financial and strategic planning
departments within the organization. Hence, the degree of accurateness is higher.
SEAGOVIA ORGANIZATIONAL INFORMATION
CATEGORYLaptops 222Laptops with Top Secret Information 151Desktops 321Servers 16Database Server 2Backup USB Drives 70Number of Mobiles 400Blackberry Mobiles 231
EmployeesNumber of Employees 650Employees handling top secret information 29
Lifespan of Technology SolutionSolution Deployment 3 yearsMaintenance Every monthFatal Failure Recovery 1 Month (2 IT Labors)
Money (USD)Annual Revenue $ 5 MillionInstallation Cost Based on Specific SolutionMaintenance Cost $100/day/person (Standard) One Vender
deals with maintenance of Seagovia’s Software and Hardware.
4 Return on Security Investment
NOTE: ANY LOSS OF INFORMATION IS DIRECTLY PROPORTIONAL TO ANNUAL REVENUE
SECURITY TECHNOLOGIES FOR ROSI ANALYSIS
Following is the list of Technologies Next Community Consultants have formulated and analyzed for calculating Return on Security Investment:
5 Return on Security Investment
Below we provide an estimation of the cost, return and benefits Seagovia would have if they invest in the given technologies.
ANTIVIRUS SOFTWARE
Product Name:Norton AntivirusProduct Usage:Used for protecting Seagovia Information System from trojans, worms, virus, malware, etc.Product Lifespan: 1 Year (license version can be revised)
Scope of ProtectionEffectivenessEase of InstallationEase of UseFeaturesUpdatesHelp & Support
FINANCIAL EXPENDITURE
INVESTMENT
Excellent Very Good Good Fair Poor
6 Return on Security Investment
Price Number SubtotalRaw Equipment Cost
$1000 5 Admins $5000
Installation (1 day) $50 5 IT Staff $250Maintenance/month $0 $0Upgrade $0 $0Subtotal Investment ~ $5250
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 8 staff $800
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,800
OVERALL SUMMARYTotal Return on Investment $445,250
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
INTRUSION DETECTION SYSTEM
Product Name:Check Point RealSecureProduct Usage: Used for protecting Seagovia Information System.Product Lifespan: 1 Year (license version can be revised)
1234
7 Return on Security Investment
Unobtrusively analyzes packets of information as they travel across your enterprise network. It recognizes a wide variety of traffic patterns that indicate hostile activity or misuse of network resources, including network attacks and malicious Java™ and ActiveX™ applets. The RealSecure attack recognition engine immediately alerts network managers and administrators of any suspicious activity, logs the session, and can automatically terminate the connection. Events are classified and summarized in order of priority, enabling you to assess conditions at a glance. You can play back sessions at any time for further evaluation or for use as criminal evidence [6].
INVESTMENTPrice Number Subtotal
Raw Equipment Cost( 32 users with 1 year Total Security)
$1600/bundle 5 Admins $25,000
Installation (1 day) $100/person 5 IT Staff $1500Maintenance $2000 5 IT Staff $10000Upgrade $50 $50Subtotal Investment ~ $36,550
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 15 staff $1500
8 Return on Security Investment
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $451,500
OVERALL SUMMARYTotal Return on Investment $414,450
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
IDS is one the most important software Seagovia should invest into. Firstly to protect you network, IDS generates alarms when it detects any kind of intrusive activity on the network. The mechanism triggers an alarm of two kinds:a. Anomaly Detection- For detecting insider attacks or account thefts. b. Misuse Detection- With signature database for every user, any misuse will be monitored right away. Also, apart from the network triggering mechanism, the software also makes sure of detecting any strange activity in the specific spots on:a. Host Side- Success or failure of an attack is easy to be determined. b. Network Side- Able to see where the attach is taking place and how much of network has the attack effected.
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
1234
9 Return on Security Investment
SACL and DACL
Product Name: Windows SACL and DACL SystemProduct Usage: Types of Access Control Lists (ACL) for providing system wide auditing and logging facilities. Product Lifespan: Same as Windows License
EXPENSES TO INSTALL
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$1000 16 servers $16,000
Installation (1 day) $200/person 10 IT Staff $2000Maintenance $100/month 16 Servers $19,200Upgrade $0 $0Subtotal Investment ~ $37,250
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 30 staff $3000
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $453,000
OVERALL SUMMARYTotal Return on Investment $415,750
10 Return on Security Investment
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYNot having the above technology will increase the chances of system of network security breaches, and also not be able to determine the extent and location of network damage. For Seagovia such a risk is really high because highly confidential information is kept in the system. If such information is leaked out and the source cannot be determined, then it is a major threat to national security. This will also increase the time exponentially to locate the epicenter of the problem and also the time related to rectify it, further causing delay and increasing the threat connected to it.
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
VIRTURAL PRIVATE NETWORK
Product Name: CISCO VPNProduct Usage: Security through encryption and authentication technologies that protect data from unauthorized access and attacks.Product Lifespan:2 Years (license version can be revised)
1234
11 Return on Security Investment
12 Return on Security Investment
EXPENSES TO INSTALL
INVESTMENTPrice Number Subtotal
Raw Equipment Cost *
$90,000
Upgrade $100 $100Subtotal Investment ~ $90,100
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 30 staff $3000
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $453,000
OVERALL SUMMARYTotal Return on Investment $419,500
* The software cost included the following for all 500 machines1
1. SBC Vendor Managed RLAN2. SBC DSL, VPN (User Managed)3. Router Cost4. Handling, Configuration Cost5. Circuit Installation, project coordination cost6. User Managed VPN7. Remote Access IT Employees (labor) + 1 engineer + 2 consultants
** The cost increases when Seagovia adds more machines @ 10% each year.
1Source: Cisco VPN Client Brings Flexibility and Cost Reduction to Cisco Remote Access Solution
13 Return on Security Investment
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYThe main advantages a secure VPN provides is cost savings and network scalability. The use of such a network will help Seagovia protect their data, increase the bandwidth and efficiency of the network. Having this technology will allow data to be transferred safely through a tunneling protocol and security procedures. Whereas, not having a secure VPN would not allow Seagovia employees to send data safely and open the doors to packet sniffing. If such a thing happens, again a lot of national secured data would be on the loose, resulting in a major disaster.
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
1234
14 Return on Security Investment
BACK-UP SOFTWARE
Product Name: Nova BackupProduct Usage:Required for providing a back-up to all the stored information at SeagoviaProduct Lifespan: 2 Years (license version can be revised)
Feature Set
Ease of Use
Backup/Restore
Help/Documentation
FINANCIAL EXPENDITURE
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$45 5 Admins $225
Installation (1 day) $50/person 5 IT Staff $250Maintenance $1200 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $6,525
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $443,975
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGY
Excellent Very Good Good Fair Poor
15 Return on Security Investment
A back-up software helps users maintain the data they have. Seagovia stores a lot of information which is highly classified and prone to attacks (leaks). Also, there can be certain incidents where someone (insider or outsider) might successfully erase the data stores. So, it is suggested to have a back-up of the entire data at Seagovia by secure software. This way, if incase if the data is erased, a back-up would be a hand and would save a lot of time and effort involved in retrieving the data.
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
BIOMETRIC
Product Name: Aware, Inc. Fingerprint ReadersProduct Usage:•Fingerprint and facial image auto-capture • Image QA and compliance assurance • Certified 1:1 fingerprint matching • Standard-compliant data formatting and validation • Service-oriented workflow server platform Product Lifespan: 2 Years (license version can be revised)
FINANCIAL EXPENDITURE
INVESTMENTPrice Number Subtotal
1234
16 Return on Security Investment
Raw Equipment Cost
$800($700 Software$100 Reader)
16Servers649 Machines10 Sensitive Office Rooms
$12,800$64,900$1000
$65,900Installation (1 day) $100 5 IT Staff $500Maintenance $100 15 Servers $18,000Upgrade $50 $50Subtotal Investment ~ $84,400
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$200 10 staff $2000
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $452,000
OVERALL SUMMARYTotal Return on Investment $367,600
*We assume that 10% of the machines contain sensitive data that only admin or an employee with high level clearance can access it.
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYInsecure authorization in banking or high-intelligence organizations can be catastrophic with loss of money, confidential information and compromised data integrity. The above technology provides a sure shot way to prevent any unauthorized individual to get access to an unauthorized place. The above technology cannot be shared or copied, as It is extremely difficult to duplicate any individuals identity in terms of eyes, face or finger prints. Hence, this way only special (high level) employees can gain access to special information centers, thereby reducing the risk of information getting out of the organization premises. The rest depends on Seagovia to allocate biometrics to as many employees as it wants.
17 Return on Security Investment
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
SSL VPN Cryptography
Product Name: OvisGate SSL VPNProduct Usage:A VPN Software that utilizes SSL technology, giving you the ability to easily access a foreign network (e.g. workplace, home, school, etc.) from the web browser [10].Product Lifespan: 2 Years (license version can be revised)
FINANCIAL EXPENDITURE
1234
18 Return on Security Investment
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$1000 5 Admins $5000
Installation (1 day) $100/person 10 IT Staff $1000Maintenance $100/month 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $12,050
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $438,450
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYVPN allows remote users to securely access corporate information from safe locations. The above technology allows Seagovia users to access highly confidential information from safe places so that such information is not accessible to all. This way Seagovia can ensure that only highly classified employees get to share information which otherwise is not required to be accessed by lower level employees within Seagovia. The catch in using this technology is that Seagovia can easily setup secure Extranet for its employees while transmitting information. This way the authentication and encryption on the network will not allow external users (insiders and outsiders) to breach it.
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
1234
19 Return on Security Investment
SECURE EMAIL
Product Name: ZSentryProduct Usage:Secure email serviceProduct Lifespan: 1 Years (license version can be revised)
FINANCIAL EXPENDITURE
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$80 16 Servers $1,280
Installation (1 day) $100/person 5 IT Staff $500Maintenance $100/month 15 Servers $18000Upgrade $50 $50Subtotal Investment ~ $19,830
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $430,670
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYThis technology is used for maintaining a secured email service within any organization. Its main use is to ensure that any information shared via email is secured. It uses a secure loginuses authentication, encryption and proven anti-phishing solution.sign, encrypt and send service. Hence if Seagovia incorporates and invests in this technology it will save them the time and effort to protect their mails, share classified information without having the concern of information getting across to wrong parties. Also, it will help in sharing confidential bank records between various individuals keeping external identities off record. All this saves time and effort involved if any leak of information takes place through email. The probability of information breach through email is not high, but since Seagovia deals in National Information, it is important to not to leave any corner un-attended.
20 Return on Security Investment
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
ACTIVE DIRECTORY
Product Name: Active Directory Service by MSProduct Usage:Product Lifespan: 1 Years (license version can be revised)
FINANCIAL EXPENDITURE[12]
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$1000 5 Admins $5000
Installation (1 day) $50 5 IT Staff $250Maintenance $100 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $11,300
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000
1234
21 Return on Security Investment
Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $439,200
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYFollowing are the advantages Active Directory Offers:1. Full integrated security in the form of user login’s and cryptographic information.2. Easy to administer the group policies and permissions.3. Easy to provide scalability, flexibility and extendibility in during data up-gradation. 4. Supports integration of other directory services also.5. Supports multiple authentication protocols. All the above factors show that data security is a major thing to control. At Seagovia, national data is stored and has to be protected in from breach. The cost associated with it is catastrophic and cannot be calculated. The only solution our consulting team suggest is to adopt this technology.
22 Return on Security Investment
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
SELF ENCRYPTING DRIVE
Product Name: Seagate Momentus FDE Self Encrypting DriveProduct Lifespan: 1 Years (license version can be revised)
1234
23 Return on Security Investment
FINANCIAL EXPENDITURE
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$130* 500 $65,000
Maintenance $0 $0Upgrade $50 $50Subtotal Investment ~ $65,050
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $385,450
*Including Installation Cost
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYWe already suggested a cryptography software for your organization’s information systems. But we found another area of concern. All the employees within Seagovia have to submit their data to the cryptography software to enable data protection. For all the data excluding the encrypted data (user’s own data on his machine) is also vulnerable for breach or information theft. Hence, we advice a self encrypting hard drive to make sure that all data present in the user’s machine is encrypted automatically as the user stores data in it. Hence we also close the gates for security breach through this channel. Bank accounts, usernames, passwords, etc will also be encrypted and they key to all that data would be only with the user of the machine.
24 Return on Security Investment
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
CONFIGURATION/PATCH MANAGEMENT
Product Name: GFI Languard Product Usage:GFI LANguard is a complete network vulnerability management solution that allows you to scan, detect, assess and remediate security vulnerabilities and provides patch management functionality [14].Product Lifespan: 1 Years (license version can be revised)
FINANCIAL EXPENDITURE
1234
25 Return on Security Investment
INVESTMENTPrice Number Subtotal
Raw Equipment Cost
$380* 5 Admins $1900
Installation (1 day) $100/person 5 IT Staff $500Maintenance $100 5 Machines $6000Upgrade $50 $50Subtotal Investment ~ $8,450
COST SAVINGSLoss of Data 3%*$5.0*106 $150,000Loss of customer prospect
2%*$5.0*106 $100,000
Waste of Human Labor
$100 5 staff $500
Loss of Productivity 4%*$5.0*106 $200,000Subtotal Investment ~ $450,500
OVERALL SUMMARYTotal Return on Investment $442,050
*Including 2 year maintenance.
EFFECTS OF NOT IMPLEMENTING SUCH A TECHNOLOGYPatch management software automatically protects the integrity of data. With the above mentioned technology- deployment of patches to ISA servers machines,allowing administrator to specify required updates, data migration and export/import features, reporting capabilities to allow administrator to monitor updated network activity, etc are easily implementable. All these above advantages add a layer of protection to the update activity within the network. Since out previous advised technologies are keeping a track of all the updates occurring within the network, this technology enables the administrator to monitor and implement updates which are required for the network. There can be instances where a patch update might be a kind of a breach. So to ensure that all is monitored correctly, this technology provides the much needed admin facilities required to protect the data.
26 Return on Security Investment
IMPACT ON SEAGOVIA DEFENSE AND BANKING OPERATIONS
3 ON A SCALE OF 4 HIGH THREAT RISK
REFERENCES
1. Return on Security Investment- Interpreting ROSIhttp://blogs.globalcrossing.com/?q=content/rosi-return-security-investment
2. Office Informationhttp://en.wikipedia.org/wiki/Prime_Minister's_Office_(Singapore)
3. Salaries of Government Employeeshttp://www.payscale.com/research/US/People_Employed_by_the_Government/Salary
4. Antivirus Softwarehttp://anti-virus-software-review.toptenreviews.com/ppc-index.html?cmpid=4637
5. Antivirus Software Installationhttp://www.brokelyn.com/computer-repair-in-brooklyn/http://www.answers.com/license+renewal+fee+of+antivirus+software
6. Intrusion Detection Systemhttp://www.timberlinetechnologies.com/products/intrusiondtct.htmlhttp://www.ciscopress.com/articles/article.asp?p=25334
7. CISCO VPN Costhttp://www.cisco.com/global/EMEA/ciscoitatwork/pdf/it-at-work-cisco-access-vpn.pdf
1234
27 Return on Security Investment
8. Back-up Softwarehttp://data-backup-software-review.toptenreviews.com/
9. Biometrichttp://www.findbiometrics.com/middleware-software/
10. SSL VPNhttp://www.ovislink.com/newovislink/products/VPN/SSL/SSL.asphttp://download.cnet.com/OvisGate-SSL-VPN-Server/3000-7240_4-10294896.html
11. ZSentryhttp://zsentry.com/how_zmail.htm
12. Active Directory License Costhttp://www.jijitechnologies.com/jiji-active-directory-reports-reporting-tools-adr-pricing.aspx
13. Self Encrypting Drivehttp://www.seagate.com/staticfiles/support/sedqual/MB595_1_0905US_SelfQual.pdf
14. Patch management Softwarehttp://www.windowsecurity.com/software/Patch-Management/http://www.gfi.com/whitepapers/patch-management.pdf