[MUSIC] When we look at constraints, there are a number of things that we have to take into consideration for our information security. Things like legal and regulatory requirements, physical, ethics, culture, and you can read the list here on this slide 87 of the course material. Let's take a look first at legal and regulatory. There are laws for privacy, intellectual property, and different countries have different laws and as security professionals, as citizens, we need to know what those different laws are. There specific laws for Internet business, for E-commerce. There's specific laws relating to the retention of business records and all of us deal with E-Discovery especially when there is a lawsuit or a pending litigation. Physical constraints are just that is there enough physical capacity, electricity, air conditioning, space. Is their infrastructure capacity? Think about it, you've got a raised floor, and now we're adding another 2000 pound RAID array. Will the race full floor support that additional weight on that one? From an ethical point of view the customer's perception, the public perception is very critical. So our strategy has to include ethical considerations, the culture of the organization. If they are resistant, it's going to be difficult to implement any controls within the organization. That organizational structure will have a very definite impact on how we put together our security strategy within the organization. Money is always an issue. There is never enough money to go around. Management when you present them with all of the risk are very often going to say, okay, let's do one and two, and then we'll hold the rest of them to next year. And at the same time, even though you do risk one and two and you mitigate those. They want to know if they got their money's worth. They want to know what the return on the investment was for that control. So every time we do something, we have to justify it with the business case. From a personnel point of view, there may be some resistance, especially if we're trying to share resources. Because people like DBA SIS admins, they have a full time job already. And now we're asking them to do additional work just for the security strategy. There may be some resistance on their part. From a resource point of view, is there enough money in the budget? Is there new technology that is available? Is there manpower that's available in order to do the operation of the controls once we put them in place? From resource point of view also, we have to look at the total cost of ownership, which is the cost of owning that control throughout its entire life cycle. From a capability point of view, what's the capability of the resource? An intrusion detection system, for example, does not have prevention capabilities. A systems administrator that knows when does, does not have the capability, doesn't have the skill set to be a Unix administrator. Time is always an element constraint and is always an issue. But you have compliance deadlines, like PCI DSS, for example. They require a quarterly networks again, you've got 90 days. In order to do that network scan time is always an issue. One of the other things we have to look at is the organization's risk appetite. Are they risk takers, are they risk avoiders? In order to understand the risk tolerance, one of the things that we include in the business impact analysis is something called the recovery time objective. How much time does IT have to bring that system back up? Well really that saying is how much risk tolerance does the organization have for that application or for that function being down? [MUSIC]
