Security Management Program Value Calculator - Security Management Program Value Calculator
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
User Guide: Insert Title USER GUIDE Security Management Program Value Calculator Security Management Program Value Calculator Verizon Security Management Program (SMP) 1
User Guide: SMP Value Calculator 1. Overview The Verizon Security Management Program (SMP) is an enterprise-wide security control assessment and validation program based on ISO/IEC 27001 and 27002 that can continuously support the management of governance, risk, and security compliance processes. The Security Management Program Value Calculator (SMP Value Calculator) is designed to calculate the value of implementing the SMP with regard to several key components of managing and maintaining a holistic security program. This flexible, easy-to-use calculator can be used to quickly gain an understanding of the value of the SMP, particularly how it compares to current or planned in-house efforts. The results will allow you to evaluate the financial impacts that the SMP can potentially have on your security budget. Disclaimer: This Security Management Program Value Calculator is designed to estimate and quantify the potential value/return on investment of implementing the Verizon Security Management Program. While the Verizon Security Management Program (SMP) has an established track record of providing substantial benefits to customers, specific costs and benefits vary by customer and can be significantly influenced by many factors. The use of this calculator is at customer’s sole discretion as a guide only and does not guarantee any specific results. Calculations and analysis contained herein are based on estimates, assumptions, and customer provided information, all of which can vary from case to case. VERIZON BUSINESS MAKES NO REPRESENTATIONS THAT THESE RESULTS WILL BE ACHIEVED OR WARRANTIES OF ANY KIND. 2
User Guide: SMP Value Calculator
2. Accessing the SMP Value Calculator
Please visit http://www.verizonbusiness.com/products/security/compliance/mgmt/smpcalculator/ to
see sample scenarios demonstrating potential benefits. The scenarios show a static view of the
calculator. Please contact a Verizon Business representative to use a dynamic version of this
calculator by sending email to smp-calculator@verizonbusiness.com.
3. SMP Value Propositions
There are several value propositions that our SMP can bring to most organizations, but two are
especially important because of how they relate to this value calculator.
1. Replace Existing Costs
As part of the SMP, Verizon Business performs certain activities to validate the
implementation of security controls. These activities are oftentimes already being
performed in-house or with similar tools and/or services. Rather than pay twice for similar
functionality, SMP allows you to reduce or eliminate the overlap.
2. Improve Efficiencies of Existing Resources
The SMP reports information as it relates to the implementation of security controls. This
information is valuable for proper decision making for many actions from tactical security
operations to strategic direction. By having access to this information, the SMP allows you
to improve the efficiency with which these resources are used or deployed, thus reducing
the time and effort normally spent performing these tasks.
As you review the variables listed below, please note that the “Vulnerability management
tools & services, PCI scanning” variable falls into the Replace Existing Costs value
proposition. All other variables relate to the Improve Efficiencies of Existing Resource
value proposition.
4. Currency Menu
The pull down menu indicating currency symbols allows users to select the currency
most appropriate for their situation. It should be noted that the dollar symbol ($) refers to
US dollars. Some countries such as Australia, Canada, Singapore, etc. also use the
dollar symbol but users in these countries should note that the calculator cannot perform
currency conversions. Please contact a Verizon Business by sending email to smp-
calculator@verizonbusiness.com to have a representative address your local requirements.
5. SMP Value Calculator Variables
The SMP Value Calculator uses a number of variable cost components that can be customized to
closely resemble your organizations conditions. By changing these cost component variables, you
will see estimates of the current cost for assessing and validating your security controls, as well as
the estimated savings/value of implementing the SMP. The variables are described in the table
below.
3User Guide: SMP Value Calculator
Organization Profile
Variable Description Range Default
Number of Total number of employees that are regularly using a PC as 100 – 5,000
world-wide part of their day-to-day responsibilities. For example, 30,000
employees exclude retail staff that operate in a point-of-sale location or
regularly manufacturing staff that operate machinery other than PCs.
using a PC Another way to estimate this number is to determine the
total number of desktop and laptop PCs in current use
throughout your organization world-wide.
Number of Total number of the key physical locations that operate 1 – 15 3
world-wide business critical servers and IT systems. For example,
datacenters count locations that possess back-up power supply systems
and main or impose special physical access restrictions.
critical-
server
facilities
Approximate Average total cost, including benefits, of the employees in 50,000 – 125,000
annual cost your organization that are responsible for managing and 250,000
of an IT maintaining information security.
security full-
time
equivalents
(FTE)
4User Guide: SMP Value Calculator
Organization Profile
Variable Description Range Default
Estimated The expected direct and indirect monetary loss due to a 0– 100,000
Annual Loss security incident typically involving loss of data records. This 1,000,000
Expectancy can be a difficult number to estimate. What follows is one
(ALE) of particular method for estimating this value.
direct and The Verizon Data Breach Investigations Report (DBIR)
indirect (http://www.verizonbusiness.com/databreach) points to
costs many interesting pieces of information to help companies
related to estimate their ALE. This report does not specifically indicate
security financial losses related to data breaches, nor the direct
incidents likelihood of such data breaches from occurring, the
rationale for this is explained in the report and at their blog
(http://securityblog.verizonbusiness.com/category/2009dbir/)
However, the DBIR does show a table on page 12 with the
average number of records lost per security incident
investigated by Verizon Business in 2008. This information
is broken down by external, internal and partner source of
the data breach.
Using these numbers, a quick estimation of your potential
ALE can be made by estimating the cost per record of data
based on your particular line of business, size and type of
organization. Estimate the frequency of occurrence of an
external, internal, or partner breach and multiply the value
per record by the number of records at risk. Annualize this
cost to arrive at your ALE.
Example: Suppose that you suffer a security breach every
year, once from each source respectively, and that each
record of data in your company has a value of $5.50.
External 28,175 x $5.50 = $154,963
Internal 20,000 x $5.50 = $110,000
Partner 8,700 x $5.50 = $48,850
Total = $312,813
ALE = $312,813 / 3 = $104,271
Estimated Security projects rarely reduce risk in proportionate and 0– 100,000
annual relative terms to each other. That is, two security 1,000,000
savings implementations that cost the same may reduce risk in
attributed to different proportions. Thus, some security projects present
improved greater overall value in terms of risk reduction than other
ability to security projects. The ability to select which projects are
prioritize more cost-effective, and present greater value, is a difficult
budget task and oftentimes requires specialized knowledge and
allocation of experience. Suppose that you have a security budget of
security and $1,000,000 and have been told to cut spending by ten
IT projects percent. Which projects do you cut, yet allow you to retain a
reasonable degree of comfort with respect to the protection
of your data? With this variable, estimate the amount you
hope to save if you had an improved ability to prioritize
security budgets.
5User Guide: SMP Value Calculator
Productivity
Variable Description Range Default
Hours per week The total number of hours that are collectively spent by 0 – 40 5
to research and staff with specific responsibility to research emerging
analyze threat security information. For example, 2 people
and vulnerability respectively spend approximately 10 hours (1 full day
information, plus follow-up) analyzing Microsoft Security Bulletins
bulletins, and each month. Thus, 2 x 10 = 20 hours divided by 4
advisories weeks equals 5 hours per week.
Hours per week The total number of hours that are collectively spent by 0 – 40 10
to consolidate staff with specific responsibility to analyze operational
and analyze security information such as vulnerability assessments
security or audit reports with the objective if planning and
assessment prioritizing remediation efforts. For example, 2 people
results and to respectively spend approximately 2.5 days performing
prioritize these activities each month. Thus, 2 x 2.5 x 8 = 40
remediation hours divided by 4 weeks equals 10 hours per week.
efforts
Hours per week The total number of hours that are collectively spent by 0 – 40 1
to consolidate staff with specific responsibility to produce IT security
and analyze compliance related reports. For example, 1 person
results data to requires 1.5 days to plan, execute, and generate a
produce network scan report for quarterly compliance
compliance requirements. Thus, 1 x 1.5 x 8 = 12 hours divided by
related reports 12 weeks equals 1 hour per week.
Estimated The total annual cost to deploy system and server 0– 100,000
annual costs to patches outside of regularly scheduled maintenance 1,000,000
execute out-of- cycles including extra or special analysis, testing, staff
cycle patch overtime, risk of downtime, and/or unplanned support.
deployments
Estimated Annual Costs for Tools & Services
Variable Description Range Default
Vulnerability The total annual cost of the management of server and 0– 100,000
management network vulnerabilities, compliance scanning 1,000,000
tools & services, obligations, or asset discovery projects, including but
PCI scanning not limited to any software licenses, maintenance and
support fees, software-as-a-service fees, consulting
engagements, etc.
Policy & The total annual cost of the management of security 0– 100,000
configuration policies and procedures, system configuration for 1,000,000
management security purposes, or security operations including but
tools & services not limited to any software licenses, maintenance and
support fees, software-as-a-service fees, consulting
engagements, etc.
Security The total annual cost of the consolidation of security 0– 50,000
compliance and compliance data, the analysis of such data, or the 1,000,000
reporting tools & report generation of such data including but not limited
services (i.e. to any software licenses, maintenance and support
dashboards, fees, software-as-a-service fees, consulting
consulting) engagements, etc.
6User Guide: SMP Value Calculator
6. Changing the Default Settings
There are two ways to change the variables to more closely reflect your organizations parameters.
• Use the slider bar to increase or decrease the corresponding value of the variable within
the given range limits shown in the table above.
• Double-click on the white input box to enter a specific value of your choice.
Any variable that shows a cost can be shown with a dollar, Euro, or British pound currency symbol.
No currency exchange rates are applied to the calculations. To change the symbol, pull down the
menu found in the top-right corner of the red section of the tool.
7. SMP Value Calculator Outputs
The SMP Value Calculator will automatically adjust the following three output sections as you
change the variables to reflect your organizations profile or desired scenarios.
A. SMP Results
B. Estimated Annual Savings vs. Cost Chart
C. Estimated Annual Savings Chart
A. SMP Results
This output section displays the overall SMP value for your chosen inputs including return-on-
investment (ROI), payback period in months and cumulative estimated savings over a 3 year period.
Return on Investment (ROI) is the percentage return expected over a specified period of time, in this
case it is 3 years. ROI is the total benefit (Estimated savings - total cost) divided by the total cost.
This ROI metric is good for assessing the multiplier effect provided by the benefits relative to the
total investment and costs.
Return on Investment = Estimated Savings – Cost of SMP
Cost of SMP
Estimated Savings: is the sum of your improved security costs as calculated, over a 3 year period
Cost of SMP: are the estimated costs to enroll in the SMP, over a 3 year period
B. Estimated Annual Savings vs. Cost Chart
The first column of this chart shows your estimated current costs for the given security activities
accounted for within the tool (shown in blue) and compares it to the estimated new costs after the
purchase of SMP over a three year period (shown in red). The black bars show the estimated
amount saved over each annual period. You can hover your mouse pointer over any section in the
chart to view the specific calculated value.
7User Guide: SMP Value Calculator
C. Estimated Annual Savings Chart
This chart shows the estimated savings that can potentially be achieved each year with the
implementation of the Verizon Security Management Program. The estimated savings are based on
the variable information you provide, as well as the assumptions identified below in the “Impact of
Variable Values on Results” section.
8User Guide: SMP Value Calculator
8. Impact of Variable Values on Results
Organization Profile
1. The cost of SMP is roughly estimated using a number of assumptions based on number of
employees and number of critical server locations. An accurate cost can only be achieved
with a proper scoping exercise conducted by a qualified Verizon Account Manager, Sales
Engineer, and/or SMP Delivery Manager. Please contact Verizon Business to arrange for
an appointment to review the results of this calculator.
2. Annual Loss Expectancy (ALE) can generally be dramatically reduced through the
implementation of well-managed security controls. The assumption made within this
calculation is that SMP will cut ALE in half (50%). This number will vary based on
individual circumstances. This assumption can be modified upon request.
3. The value you provided for estimated annual savings per year as a result of an improved
ability to prioritize budget allocation is directly applied (100%) to the SMP savings
calculation.
Productivity
1. The first three variables relate to the in-house resource expenditure of time to complete
several security functions that can be handled more efficiently with the implementation of
the SMP. A monetary value for these services is associated through your determination of
the approximate annual cost of IT security full-time equivalents (FTE). The current annual
cost is calculated in the following manner: # of hours per week x 52 weeks x annual FTE
cost / 2000 hours per year. The estimated savings generated by the SMP are based on the
assumption that the SMP can reduce and/or replace these activities by 40% in the first
year, 45% in the second year, and 50% in the third year. The increasing amounts of cost
reductions are based on the assumption that the SMP will become more greatly integrated
in the standard processes and procedures of your security framework. Clients generally
make more use of, and have greater reliance on, the SMP as time goes on.
2. The fourth variable relates to the cost of out-of-cycle patching. The estimated savings
generated by SMP are based on the assumption that the SMP can reduce the need for
out-of-cycle-patching by 80% throughout the contract life of SMP. This assumption can be
modified upon request.
Current Cost of Existing Tools & Services
1. These three variables relate to the in-house costs of tools and services as described in the
SMP Value Calculator Variable table above. The estimated annual cost includes the
values you provide in each of these fields. The estimated savings are based on the
assumption that the SMP can reduce and/or replace these tools and services by 40% in
the first year, 45% in the second year, and 50% in the third year. The increasing amounts
of cost reductions are based on the assumption that the SMP will become more greatly
integrated in the standard processes and procedures of your security framework. Clients
generally make more use of, and have greater reliance on, the SMP as time goes on.
9. Saving Your Scenarios
It is possible to save the input settings of a particular scenario for examination at a later point in time.
You can do this by clicking on the “save” button in the upper right hand corner of the calculator to
pull down the following three menu options: Save, Load, and Delete.
9User Guide: SMP Value Calculator
A handy tip is to save the default settings of the value calculator. You can easily return
to the original starting point prior to any of your personal modifications without having
to reload your browser.
Save
When you click on the Save menu option, a new window pops-up. Enter a name in the field provided
(ex: Default) and click the Save button to record the input settings for later use. The input settings
are stored within the browser of the current user and thus are only accessible from the same user
browser.
Load
To load a saved scenario, click on the Load button to open the pop-up window with a list of available
scenarios. When you select the desired scenario, it will be highlighted and shown in the field at the
bottom left. Click on the Load button and you will be returned to the calculator with all the values
adjusted to the saved settings.
Delete
To load a saved scenario, click on the Delete button to open the pop-up window with a list of
available scenarios. When you select the desired scenario, it will be highlighted and shown in the
field at the bottom left. Click on the Delete button and you will be asked to confirm the deletion. If
you confirm, then that scenario will be removed from the list and you will return to the value
calculator.
10User Guide: SMP Value Calculator
10. Summary
The SMP Value Calculator is a convenient tool designed to quickly explore and quantify the value of
implementing the Verizon Security Management Program. The tool highlights key components of a
generic security management framework that you may be currently employing in-house and easily
compares your current costs to the potential new costs using the SMP.
Generally, SMP can provide significant value through the replacement of existing costs and through
improved efficiencies of existing resources. SMP can execute tactical tasks that can distract in-
house staff from more strategic activities. Several assumptions have gone into the production of this
tool to simplify a more complex discussion that should occur with a Verizon Business contact.
Please contact us by using any of the methods listed below:
Website: http://www.verizonbusiness.com/support/ then select your local country for contact details
Telephone: 1-877-297-7816 for general sales information in the United States. For other countries,
please access the website indicated above.
Email: smp-calculator@verizonbusiness.com.
© 2009 Verizon. All Rights Reserved.
The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services
are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the
United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
11You can also read
