"Your budget is not limitless. Neither are other resources. You need to determine the best use of your limited resources to ensure the survivability of your enterprise." —Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University

When all is said and done, it very often comes down to setting security proirities.

Creating a catalog of critical assets is one thing. Assessing their relative importance to the enterprise is quite another. That can be difficult for a security practiioner in a global enterprise when there are many assets to protect and, ranking their relative importance requires knowledge outside of security's domain.

Security steering committees and task forces provide a practical means to obtain the involvment of the company personnel who "own" the assets in terms of everyday operations. When the committee or task force has participation by legal, HR, risk management and security as well as those responsible for and dependent upon the assets, effective evaluations can be peformed.

Have you ever participated in such an exercise, to rank the relative importance of the enteprise's critical assets? It is an important process. But it is often hard to get started, hard to manage, and takes too long to complete. That's one reason why there are many more companies who have not done it than who have.

Mergers and acquisitions are situations of high risk, and yet are among the toughest situations in which to perform a security evaluation.

Fortunately there is a little known but very powerful tool available to help. It is so effective that Sandia National Laboraties includes it as the first step in identifying and ranking critical assets, systems and processes, in its RAM-W^SM threat assessment methodology for water utilities. It can reduce the amount of time to rank asset criticality tremendously—for example, from 2 days down to 3 hours!

This free and incredibly simple tool is called the "pairwise comparison". You can use it to establish the relative ranking of any list of items. Here is why this tool's "divide and conquer" approach is so workable for security assessments:

• Full consensus can be achieved even though not all committee or task force members know about all assets.
• Relative raking is fast and simple because you are only comparing two assets at a time.
• It works on small, medium or even very large lists of items.
• Each comparison results in a set of numbers or scores for each asset.
• Adding up the scores reveals the relative asset rankings.
• While most folks use a word processor or a spreadhseet program, a couple of chart pads on easels can work just as well for a few dozen assets or less.

Click here to learn more about Pairwise comparisons, and to see an example pairwise comparison chart.

Once you use it you'll quickly see why I am so jazzed about the Pairwise Comparison tool.

Best regards,
Ray Bernard

2006 by Ray Bernard. All Rights Reserved. Permission is granted to reprint with The Security Minute identified as the source and Ray Bernard as the author.