Information security management in SMB sector

1. Informationsecurity management inSMBsector mag.oec. Sasa Aksentijevic, univ.spec.oec, ph.d. cnd. ICT forensicscourtexpert Nova Gorica, Slovenia, November 2011.

2. What is SMB company? • Two criteria: • Financial criteria • Number of employees • Micro business/company: • Number of employees : < 10 employees • Financial criteria: 2-10 mil. EUR revenue and/or up to 2 mil. EUR in balance sheet total • Small business/company: • Number of employees : < 50 employees • Financial criteria: 10-50 mil. EUR revenue and/or up to 10 mil. EUR in balance sheet total • Medium business/company: • Number of employees: < 250 employees • Financial criteria: 50-250 mil. EUR revenue and/or up to 43 mil. EUR in balance sheet total mag.oec. Sasa Aksentijevic, univ.spec.oec, ph.d. cnd. ICT forensicscourtexpert Nova Gorica, Slovenia, November 2011.

3. Difference between small and big company

4. Small Business Information Security: The Fundamentals Author: Richard Kissel National Institute of Standards and Technology US Department of Commerce October 2009 16 pages 1. Introduction 2. "The absolutely neccessary" actions that a small business should take to protect its information, systems and networks 3. Highly Recommended Practices 4. Other planning considerations for information, computer and network security Appendix A: Identifying and prioritizing your organization`s information types Appendix B: Identifying the protection needed by your organization`s priority information types Appendix C: Estimated costs from bad things happening to your important business information

6. Risk Management & IT Security for Micro and Small Businesses International Association of Accountants Innovation & Technology Consultants (IAAITC) European Network and Information Security Agency (ENISA) Micro Entrepreneurs Acceleration Institute (MEA-I) WKO- Information and Consulting Division 2007. (guide/deliverable) CONTENTS How to proceed with Information Security Phase 1: Risk Profile Selection Phase 2: Critical Assets Identification Phase 3: Control Card Selection Phase 4: Risk Management and Implementation Organisation Controls Organisational Control Cards Asset Based Control Cards System Network People Application Asset Based Controls Appendices Action Checklist IT Security Questionnaire Notes

7. ISSA-UK 5173 Information Security for Small and Medium Sized Enterprises March 2011 Draft of standard, 10 pages Purpose “This paper, prepared by a working group of the ISSA (UK), sets out recommendations on information security controls for small and medium enterprises (SMEs). There are already several sources of educational advice for SMEs, but none currently aims to set a standard for information security. This document is intended to serve primarily as a reference document for helping to determine an appropriate level of security for SMEs. It is hoped that others will build on this work and develop interpretation guidelines for specific sectors or circumstances, as well as appropriate educational materials.”

8. SMB companies and ISO 27001 ISO/IEC 27001 for Small Businesses – Practical advice Manual ISO Secretary-General Rob Steele and IEC General Secretary Ronnie Amit comment in the foreword to the handbook: "An information security management system based on ISO/IEC 27001:2005 can empower the small business to compete successfully on today's globalizing markets. This handbook is intended to provide the key to the door.“ Annual audit Fee < £100,000 £495 £100,000 - £5m £795 > £5m Subject to individual quotation Annual turnover Fee < £100,000 £2,999 £100,000 - £500,000 £3,999 £500,000 - £1.5m £4,499 £1.5m - £3m £4,999 £3m - £10m £4,999, plus £125 for each additional £1m turnover above £3m > £10m Subject to individual quotation What about consultancy cost? (~ 70 £ / hour – freelance) Documents? 60+ Opportunity cost?

12. Informationsecurity management inSMBsector