|
Advantages of using ConOp
Mathematical Model:
-
Minimize the cost of compliance as opposed
to subjectively reducing few controls
-
Consistency: Solves the control optimization
problem using a mathematical model. It
removes any judgment on removing or
selecting a particular control
-
Ensures that selected set of controls
provide adequate risk coverage, by assigning
risk coverage values to the controls
-
Ensures that the selected set of controls
can be maintained and audited using
organization’s available resources
-
Takes into consideration the long term
cost-benefit as opposed to short term cost.
For example, an automated control may
required high upfront investments but the
cost of maintenance may be significantly
less and the risk coverage may be
significantly more, thereby reducing the
effective cost over a period of time
-
Flexibility: offers flexibility to determine
if a particular control is required to
address the risks. These controls will
always be selected even if it increase the
toital cost of compliance
Disadvantages of the
traditional way of controls optimization:
There are a number of deficiencies in the
process of removing controls subjectively:
- Since there is no objective
analysis on risk coverage, the resulting
control set may not be the best possible
control set.
- There is no objective analysis
on the cost of compliance. Reducing
compliance cost does not necessarily mean
reducing the number of controls, as three
simple controls may be less expensive to
maintain than one complex control (which
could also require acquisition of systems).
- There
is no analysis performed on available
resources. For example, if an organization
requires hiring two new highly skilled
personnel to maintain the selected controls,
that would increase the cost of compliance.
They may instead prefer to choose a set of
controls which could be maintained using
their available resources. This would also
apply to available hardware, software,
network, and any other applicable resources.
|
