Managing Information Security On a Limited Budget

The recent government shutdown got me thinking about budgets and information security. Having just submitted a proposal to a small business myself, I am asking the question: What is best practice for small or mid sized business (SMB) information security? Every SMB is going to have a limited budget. This budget has to cover control implementation and maintenance. There s no point in minimizing risks if you will run out of money for maintenance at a later date. In this post, I want to address the costs of running the security program on an ongoing basis. Gartner came up with Total Cost of Ownership (TCO) back in the 1980 s but hasn t applied it to information security. I am claiming that the cost of maintaining your security program is often overlooked and is critical for a SMB, where budgets are limited.There are several good references for SMB security. NIST has developed NISTIR 7621: Small Business Information Security: The Fundamentals . This document recommends taking an …

*** This is a Security Bloggers Network syndicated blog from Security Connections authored by Fred Scholl. Read the original post at: