Optimization of Security Investment, and Recent Examples (Series)

Part 2: Eliminating Productivity Inhibitors with Uniform Security Measures: Selecting Prohibitive Rules

Masatoshi Hirota
Senior Consultant

Ryosuke Miura
Consultant

September 16, 2009 (Wednesday)

1. Introduction

This series introduces examples, from a long record of information security consulting, of optimizing investment and cutting costs by reexamining information security measures.

2. Example 2: Selecting prohibitive rules

Prohibitive rules such as “X is prohibited” are commonplace among the procedures and rules of many companies. The following is an example of verifying whether a prohibitive rule is a reasonable measure for a particular company.

3. Background

Service Company A has been endeavoring to protect personal information for several years. As part of these efforts, Company A is seeking to obtain a privacy mark to differentiate from rival companies, and is considering enhancing safety control measures to reduce the risk of leaking personal information when the privacy mark is acquired.

4. Adverse effects of a “prohibitive rule”

Company A is considering a rule to “prohibit taking laptop computers outside of the company” as a way to strengthen safety control measures. Part of Company A’s business, however, requires frequent work (creating documents and administrative tasks) at their clients’ offices. Implementing a rule to “prohibit taking laptop computers outside” would force employees working at clients’ offices to return to the company, creating additional travel time and increasing costs related to the worker.

Cost of applying the rule to “prohibit taking laptop computers outside of the company”:

• Number of workers necessary to complete work at clients’ offices: 80
• Cost of worker per hour: 6,000 yen
• Travel time required to return to the company: 45 minutes average
• Work days per year: 250 (computers are taken outside about once every two days)

80 workers × 4,500 yen (cost for 45 minutes） × 125 days (number of days per year computers are taken outside）= 45 million yen

5. Selecting the reasonable measure

FRI considers the situation and business of our clients and proposes reasonable solutions for drafting specific measures and rules related to information security. In the example of Company A, factors such as increasing costs and administrative efficiency were considered, and the following measure was suggested.

Cost of applying FRI’s suggested measure to “prohibit everyone except for workers from taking laptop computers outside of the company”:

• Laptop computer (equipped with fingerprint authentication): 150,000 yen
• Encryption software (per license): 20,000 yen
• Software maintenance and management costs per year: 2 million yen

(80 computers × 150,000) ＋ (80 licenses × 20,000) ＋ 2,000,000 ＝ 15.6 million yen

Company A considered the balance between business efficiency and safety, and adopted FRI’s recommended measure.

6. Conclusion

Selecting prohibitive rules can ensure a high level of safety, but can also damage productivity and efficiency and in many cases increase costs. The worsening global economic climate is forcing many companies to become even more efficient. Instead of the traditional pattern of selecting information security measures that prioritize only safety, companies must consider balancing productivity and efficiency with safety and choose the most reasonable measure available.

The next part of the series introduces “ledger management.”