To recap, first we listed regulatory and compliance risks and the policies/technologies needed to mitigate them. We then assigned these projects to 3 work teams to prioritize, estimate level of effort, and assign risk scores.
We then examined the total costs necessary to complete the prioritized projects.
The end result was that we identified 55 projects with $7.8 million dollars in capital costs. Our FY13 capital budget for security/compliance related projects is $4.2 million so we had to reduce the list of projects by $3.6 million.
The end result is that we identified malware controls as the highest priority, followed by mobile device encryption. All projects related to these general categories will be done first.
Other key items are data loss prevention for emails sent to commercial email providers, blocking of cloud storage services, restriction on outbound internet traffic (machines sending data to unauthorized organizations), and adaptive authentication.
Items to consider deferring due to capital expense include additional e-discovery infrastructure, network access control technologies, and enterprise mobile device management applications. These are desirable and likely will be done next year.
The end result of this exercise - a jointly agreed upon list of priorities, budgets, and timelines for compliance work over the next year.
With a mutual understanding of the time, scope, and resources, we can triage any new requests with the perspective of the work we've already agreed to do. Given that time and resources are known, adding scope means taking something off the list.
I look forward to the year ahead and policy/technology work needed to ensure we not only follow standard practices, but best practices.