Governance Risk and Compliance

, ,

Managing Budget Constraints in Information Security: How to Prioritize Security Controls by Timing and Impact

Introduction

When prioritizing security controls, it’s important to consider both timing and impact.

Prioritize by time.

  • Immediate Controls: Identify the security controls that must be implemented immediately to address the most pressing risks. This could include controls to address vulnerabilities being actively exploited or complying with legal or regulatory requirements.
  • Short-Term Controls: Identify the security controls that can be implemented in the short term, typically within the next 6-12 months. This could include controls to address vulnerabilities that are likely to be exploited in the near future or to improve overall security posture.
  •  Long-Term Controls: Identify the security controls that can be implemented over the long term, typically within the next 1-3 years. This could include controls to address emerging threats or to improve the organization’s security maturity.

Prioritize by impact.

Now that you have identified the security controls that have the highest potential impact on your organization if they are not implemented, it’s time to prioritize those with a medium or low impact. This can be done by using an impact matrix, a table with columns representing each risk level (high, moderate, and low), and rows representing each of your risks. Then, for each cell in this table, you will enter an “X” if there is no applicable control for that risk or an “#” if there is one applicable control.

  • Note: If a cell contains neither an X nor # symbol, then no security controls were assigned to it and should be reconsidered as part of future scoping efforts

Security priorities should be based on both timing and impact.

When prioritizing your security controls, it’s important to consider both time and impact.

For example, suppose you have an application that needs to launch in three months but has yet to have customers (i.e., low impact). In that case, it might be best to focus on improving the process of developing new features rather than spending time implementing encryption or monitoring tools. On the other hand, if an existing system has thousands of users and is experiencing serious performance issues (high impact), this is likely a good candidate for immediate remediation.

In addition to these two factors, other factors, such as legal requirements or regulatory constraints, affect how you prioritize specific controls over others.

Conclusion

When prioritizing security controls, timing and impact are both important factors. You can’t just focus on one or the other–they work together to help you make better decisions about how best to protect your organization. The sooner a vulnerability is discovered and remediated, the less likely attackers will exploit it. Likewise, a threat does cause damage before being mitigated by security controls. In that case, there’s an increased risk of data loss or business disruption from which recovery may take longer than expected due to lack of resources allocated towards information security programs.”

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: