December 2002 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This month – Cost of Information Assurance

An Approach to Answering “How Much is Enough?” in Information Assurance

The Resource Page for this Story 

Editor's Preface:

This month's feature highlights the results of a joint study project with NCMS and the University of Michigan’s Tauber Manufacturing Institute. (www.tmi.umich.edu) to develop an approach to quantifying reasonable expectations for Information Assurance costs which accounts for additional risks of increasing collaboration in supply chain and e-Manufacturing strategies.

A summary of the report is provided here. You may download the complete 26-page report as an Adobe Acrobat (.pdf) file on the Resources page that accompanies this article. The resources page is at http://trust.ncms.org, under the Publications Index tab.

The NCMS Manufacturing Trust R&D program is developing industry collaborations (see below) that refine and implement the models discussed here – at real scale. Please contact Michael Fancher (734-995-7049, michaelf@ncms.org) to learn how you can participate.

John Sheridan (johns@ncms.org)

The COST OF INFORMATION ASSURANCE

Executive Summary

Most manufacturers employ some form of best practices method to allocate financial and human resources to achieve what they perceive as an adequate level Information Assurance. However, sole reliance on best practices may result in inappropriate spending decisions by focusing on practices regardless of applicability to a company’s actual context of critical assets and risks. Best practices may serve as an effective means of jump-starting the process of improving security; however, in the long term companies are left unnecessarily vulnerable when they strive to be the modest “above average.”

NCMS formulated the Cost of Information Assurance model and framework as an alternative approach to quantifying reasonable expectations for Information Assurance costs which accounts for additional risks of increasing collaboration in supply chain and e-Manufacturing strategies. Collaboration based business processes promise significant gains in profitability, market share and shareholder value to effective practitioners in most industries. At the same time, increased sharing of information, largely across the Internet, raises the vulnerability of sensitive information and interconnected business processes to compromise and disruption, so that increased Information Assurance measures must be applied to realize the desired net business benefits. A framework combining an asset based approach with collaboration level is proposed to evaluate risks, which can be quantified using the Cost of Information Assurance model to find the appropriate Assurance Policy.

There are at present limited quantitative data and/or methods for measuring collaboration’s benefits and risks in the manufacturing sector. Survey data are presented, indicating that increased collaboration in the North American manufacturing sector is inhibited by vulnerable Information Infrastructure due to inadequate Information Assurance. Currently, NCMS is seeking to work with Companies in the sector to quantify the value of collaboration and learn more about the risks facing Information Assets within the industry.

This model will lay the foundation for the next generation of framework development in quantifying the value of Information Assurance in collaboration. With the aid of industry partners, the final methodology will be used as a base of further quantification effort in answering the question “How much is Enough?” in Information Assurance for manufacturing industries.

Future of Information Assurance

Information will continue to be the most valuable asset in many industries in the foreseeable future. Therefore to survive and succeed, manufacturers must place high importance on protecting this valuable asset even as they seek to leverage it to create higher value through collaboration. Increasing, information-driven collaboration is a dominant trend for commerce. Attaining and maintaining requisite levels of Information Assurance will become a common business process, and a basic necessity for competitive performance, similar to the evolution of Quality into a differentiator and even a basic expectation.

Manufacturing Trust Initiative

 In facing the problem of information security in manufacturing contexts, NCMS formed the Manufacturing Trust strategic program area to concentrate NCMS resources and competencies on protecting the confidentiality, integrity and availability of information for manufacturing needs. Current and forming projects focus on identifying vulnerabilities and validating tools to reduce risks.

1. Extended Enterprise Risk Management and Continuity

*   Identify / benchmark / develop / validate replicable sets of tools, processes and best practices for managing enterprise-wide and supply chain operations risks and business continuity, to encompass:
 - Vulnerability and risk assessment methods
 - Mitigation methods
 - Response and business recovery processes - Awareness, education and training

* Identify common risks among OEM and multi-tier supplier communities

2. Extended Enterprise Intellectual Property Protection Identify / develop / validate tools and processes to assure the proper protection of all information, in all presentation formats, throughout the extended manufacturing enterprise.

3. Shop Floor Operations Protection and Security Secure control systems and networks, including wireless, associated with production and maintenance systems.

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org