In his opinion, depending on the company's area of activity, the adopted risk management strategy and the specific operational situation, the tasks of corporate information security differ. The information security service may be aimed, for example, at protecting information in accordance with state legislation or internal regulations of the enterprise (in this case, it should only ensure the implementation of necessary measures). Another possible goal is to support the required characteristics of information (confidentiality, integrity, availability, etc.) in critical services, which can also include ensuring the continuity of business processes. It makes sense to also talk about reducing losses (for example, identifying fraud in retail), which essentially allows us to consider information security as a function of mexico whatsapp data the efficiency of the enterprise as a whole.
“, if we consider corporate information security management as a classic PDCA (Plan-Do-Check-Act) cycle, it is obvious that each action in the cycle requires additional costs (financial or time) and is aimed at servicing the main tasks of the business customer,” explains Ivan Ozerov.
Dmitry Shumilin, Director of the RedSys Information Security Center, speaks about the servicing purpose of corporate information security, which is typical for most companies: “The exception is those structures for which the business is connected with the provision of information security services and which, naturally, earn money on information security. The correct organization of information security processes allows the best possible achievement of business goals, thereby creating additional competitive advantages, and, as a result, earning more.”
"The information security service," says Dmitry Berezina, an expert in the information security department at KROK, "is not a department that makes money, but it allows us to reduce potential risks and damage as a result of computer attacks. At the same time, it is important to understand that the costs of information security should not exceed the cost of the resources being protected."
How to evaluate the effectiveness of information security management
Judging by the responses of our experts, the assessment of the effectiveness of information security management still remains a weakly formalized, non-standardized, largely creative process, dependent on the specific experience of specific specialists.