Addressing security risks involves recognising the constraints which exist within the Organisation, which can have a drammatic effect on the selection of requirements for security controls.
Questions concerning constraints
Is finance available to cover the CAPEX and OPEX costs associated with implementing and operating a security control?
- Will the secrity control prevent the business from operating ‘effectively’?
- Are there time constraints?
- Is the security control legal?
- Will the organisation be able to accept the introduction of the security control? (e.g. culture)
- Are there sufficient ‘people resource’ to implement and operate the control?
- Will the implementation ‘fit’ into the existing ICT infrastructure?