When a security standard conflicts with a business objective how the situation should be resolved by?

Answer 1

When a security standard conflicts with a business objective, there are a few questions that need to be answered before making a decision:

1) Is the standard a law? If it is, then the business objective needs to be changed to comply. For example: companies that have as an objective to spam the maximum number of people will find that they are in conflict with the law - they cannot legally achieve their objective. You could decide to just accept the risk of getting busted for failing to comply with the law, but that is extremely unethical.

2) What are the consequences of failing to apply the security standard? What vulnerabilities will the information systems have if the security standards are not adhered to? Get an unbiased analysis.

In addition to the consequences of breaking the law already mentioned, some other risks might include: liability issues, loss of business, loss of reputation, lawsuits for invasion of privacy, lawsuits for failure to protect personal information, loss of sensitive data, disclosure of sensitive information to unauthorized entities including competitors or opponents, loss of ability to enforce corporate policies for computer use - depending on the security standard not implemented a company may find they have no legal recourse against someone who misuses their computer resources, co-opting of computer resources by outsiders - company computers might become part of a bot-net, etc.

3) What are the sources of threats to the computer systems?

4) Once a risks and threats have been identified, quantify their impact if the risk comes to pass, or the vulnerability is exploited.

5) Quantify the likelihood of each risk becoming reality.

6) For each risk, combine the impact and likelihood to produce an overall risk.

7) Identify options for risk avoidance (fixing the problem), mitigating it (lessening the impact if it happens), or risk transference (such as insurance) .

8) Determine the cost of each option for dealing with the risk and compare it to the cost of accepting each risk - weighted by the level of risk.

9) Modify the business objectives to adopt the best risk management strategy to address the identified risks.

Generally if an independent, unbiased risk assessment is made, the costs of risk acceptance compared to avoiding, mitigating, or transferring the risks will dictate some changes to the conflicting business objective. Sometimes the conflict can motivate a business to examine technologies and methods they had not previously considered in order to resolve the conflict. Sometimes the conflict between security and the business objective drives innovators and inventors to resolve the conflict by developing new technologies that can satisfy BOTH the security standard AND the business objective.