Not all security incidents can be prevented, nor is it cost-effective to try. Each control should be evaluated on its own merits prior to implementation. Issues to consider: direct costs, training, decreased
To help security managers implement recommendations is the just-released incident response guide by the National Institute of Standards and Technology (NIST) that emphasizes being prepared for various security breaches.
The guide suggests management controls that focus on compliance with the information protection policy, guidelines and standards to manage and reduce the risk of loss and protect an organization's mission. Detection controls warn of violations or attempted violations of security policy and include audit trails, intrusion detection methods and checksums. Recovery controls can be used to restore lost computing resources.
"In order to get a solid handle on all vulnerabilities, enterprises need sound policy definition and the ability to define secure states for different classes of systems," said Steve Solomon, CEO of Citadel Security, a provider of automated vulnerability remediation and policy enforcement solutions.
To ensure cost-effective controls and to allocate resources, organizations should conduct a cost-benefit analysis for each control to determine which are appropriate, says NIST. Each control should be evaluated for impact and cost of implementation, including purchase price, reduced system performance or functionality versus increased security, and hidden costs such as additional personnel and training, maintenance, and the cost of implementing additional policies and procedures.
"The costs and benefits should be weighed against system and data criticality in terms of maintaining an acceptable mission posture for the organization," said Gary Stoneburner, an IT specialist in the security division at NIST who coauthored the guide. Just as there is a cost for implementing a needed control, there's a cost for not implementing it, according to the guide.
NIST's guide also includes sample questions to ask site personnel to gain an understanding of the operational characteristics of an organization and a sample risk assessment report outline.