Date post: | 20-Jun-2015 |
Category: |
Business |
Upload: | paul-mercer |
View: | 144 times |
Download: | 6 times |
SECURITY RISK ASSESSMENTWITH
Paul Mercer
SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT
Day 1 Lesson 1 – Introduction Lesson 2 – Adding a new Client and
Project Lesson 3 – Adding Project Context
SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT
Day 2 Lesson 4 - Security Threat Analysis Lesson 5 – Critical Asset Assessment Lesson 6 – Control Level Effectiveness
Assessment
SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT
Day 3 Lesson 7 – Security Risk Analysis &
Evaluation Lesson 8 – Security Risk Treatment Final Exercise Course Wash up
AN INTRODUCTION TO SECURITY RISK ASSESSMENT
Lesson 1
WHAT IS A SECURITY RISK ASSESSMENT (SRA)?
A Security Risk Assessment offers a structured means of
determining the Threats to, and
Vulnerabilities of an Organisation, Community or
Individual” SRMBOK:2008
WHY DO WE NEED TO CONDUCT A SECURITY RISK ASSESSMENT (SRA) ?
To reduce uncertainty…. “A risk based approach to
security ensures improved corporate governance and transparency of decision making through managing risk that threaten the on-going sustainability of the organisation” AS/NZ 4360:2004
“To shape operational activities and optimise the allocation of resources” SRMBOK:2008
HOW DO WE CONDUCT A SECURITY RISK ASSESSMENT (SRA)?
Security Risk Managem
ent HB167
Ente
rpris
e Ri
sk M
anag
emen
t IS
O 3
1000
WHAT IS HAWK SIGHT ?
Hawk Sight is a Security Risk Assessment calculator. It speeds up the analysis process by automating the
risk analysis methodology, thereby significantly reducing the time required to produce the Security Risk Assessment report.
Used by a trained Security Risk Consultant it will facilitate standardised, ISO 31000 compliant Security Risk Assessments, and ensures continuity in the Security Risk Assessment process, allowing like for like comparison across all Security Risk Assessments, regardless of organisation type or country of operation.
INTERNATIONAL RISK STANDARDS
ADDING A NEW CLIENT AND PROJECTS
Lesson 2
ESTABLISHING A PROJECT IN HAWK SIGHT Sign in at http://maxwelllucas.digitalpilgrims.co.uk using
your designated username and password.
ADDING YOUR NEW CLIENT TO HAWK SIGHT
ADDING YOUR CLIENT DETAILS
ADDING YOUR CLIENT DETAILS
ADDING YOUR CLIENT CONTACT DETAILS
ADDING CLIENT CONTACT DETAILS
ADDING A NEW PROJECT TO YOUR CLIENT
ADDING YOUR CLIENT CONTACT DETAILS
ESTABLISHING PROJECT CONTEXT
Lesson 3
ESTABLISHING PROJECT CONTEXT – WHY?
“To gain an understanding of what our client does and how they do it in order we can recommend security
controls that match the needs of the client, the physical and regulatory
environment in which they operate, as well as meeting international
standards and best practice”
STRATEGIC CONTEXT
“Allows us to “gain an understanding of the external environment in which the
organisation is operating or may be operating [in the future in order to] identify any factors that may have an effect on the organisation or the way it does business”
HB 167:2006
OPERATIONAL CONTEXT
“To agree an understanding of the organisation itself, and any issues that may influence its exposure to security risk or the
activities undertaken to manage them. In other words, what do they do and how do
they do it.”
SECURITY RISK MANAGEMENT CONTEXT
How does the client currently manage Security Risk. How do they Identify, Assess,
Evaluate and Treat Security related Risk?
Developing The Security Risk Management Context provides the scope, parameters and plan for undertaking the proposed
Security Risk activities.
LOGON TO HAWKSIGHT
Sign in at http://maxwelllucas.digitalpilgrims.co.uk using your designated username and password.
SELECT THE COMPANY CREATED IN L1
SELECT THE PROJECT CREATED IN L1
ADDING THE PROJECT CONTEXT
STRATEGIC CONTEXT
OPERATIONAL CONTEXT
SECURITY RISK MANAGEMENT CONTEXT
Previous Incidents
SECURITY RISK MANAGEMENT CONTEXT
Consequence
WHAT IS CONSEQUENCE?
“The consequences of any security event are assessed with reference to the potential damage to the client
should the Risk occur and may be defined in terms of effect on the achievement of client’s objectives, or
possible impact on meeting defined business, financial, management, operational, safety, security and
environmental requirements, in terms of the legal and regulatory framework or impact to reputation”
“In analysis the consequence against likelihood the approach adopted for security risks in this assessment reflects international best practice (HB 167) and is to
take the most probable worst case scenario”
DETERMINING CONSEQUENCE IN HAWK SIGHT
SECURITY RISK MANAGEMENT CONTEXT
Risk Matrix
DETERMINING THE STRUCTURE OF THE RISK MATRIX IN HAWK SIGHT
DETERMINING THE STRUCTURE OF THE RISK MATRIX IN HAWK SIGHT
Editing the Risk Matrix Edited Matrix Showing Greater Risk Tolerance
SECURITY RISK MANAGEMENT CONTEXT
Risk Levels
DETERMINING RISK LEVELS IN HAWK SIGHT
SECURITY RISK MANAGEMENT CONTEXT
Target Attractiveness
DETERMINING TARGET ATTRACTIVENESS IN HAWK SIGHT
SECURITY RISK MANAGEMENT CONTEXT
Business Resilience
WHAT IS BUSINESS RESILIENCE?
“Business Resilience, or Post Incident Vulnerability (V2), is the robustness and ability of the asset, facility or system to
withstand attack and / or maintain service in the event of damage or disruption”
DETERMINING THE LEVEL OF BUSINESS RESILIENCE IN HAWK SIGHT
PROJECT CONTEXT - SUMMARY
Strategic Context Operational Context Security Risk Management Context
Researching Previous Incidents Determining Consequence Criteria Determining Risk Tolerance though the Risk
Matrix Determining Risk Level Response Determining Target Attractiveness Determining levels of Business Resilience
SECURITY THREAT ANALYSIS
Lesson 4
UNDERSTANDING SECURITY RISK AND SECURITY THREAT
Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.
Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.
SECURITY THREAT SOURCE
The Source of a Security Threat is defined as is the
origin at which the Threat emanates be
that a human or non human source
which may be external or internal to the project under
review.
THREAT SOURCE
Threat sources may be categorised as follows: Military Threats to Security from Other States Security Threats from Non State Actors Economic Threats to Security Criminal Threats to Security Social and Religious Threats to Security Health Threats to Security Natural Threats to Security Environmental Threats to Security Accidentally Occurring Threats to Security
THREAT DRIVER
The motivation of a human source or the non human trigger event for a threat to
occur.
DEFINING THE LEVEL OF THREAT
Human Threat Intent refers to covert, implicit, or expressed
aims, goals, objectives, desires or directions of a human threat source, as identified in historical trend data, similar previous incidents and collected intelligence.
Capability refers to the attributes of a human threat source that enable a human Threat to occur, such as skills and knowledge, access to material and financial resources, time and supporters.
INTENT
Determined Threat Source has acted in the last 2 years Drivers/motivational factors still exist
Expressed Threat Source has not been active in the past 5
years Driver/motivational factors still exist
Little Threat Source has not been active for more than 5
years No known driver or motivational factors exist
CAPABILITY
Extensive Potential protagonist has proven capability and
the means to implement the threat effectively against the asset type.
Moderate Potential protagonist has limited proven capability
and resources to implement the threat effectively against the asset type.
Low Potential protagonist has no proven capability and
no resources to act against the asset.
NATURAL OR NON-HUMAN THREAT
Potential refers to the incidence of a non-human Threat and the circumstantial, climate and geographic factors that can trigger it or increase its propensity to occur, as identified in historical trend data, past events and scientific estimates.
Capacity refers to the ability of a non-human Threat to do harm and the factors that can amplify its damage potential, calculated from similar previous incidents and scientific estimates.
POTENTIAL
Likely Threat Source has been active itself in the last 2 years Conditions still exist that might trigger activity
Possible Threat Source has not been active in the past 5 years Conditions still exist that might trigger activity
Improbable Threat Source has not been active for more than 5
years Conditions do not exist that might trigger activity
CAPACITY
Extensive Source of threat has proven capacity to cause multiple
human fatalities and total disruption of business operations.
Moderate Source of threat has proven capacity to cause multiple
injuries to personnel and significant disruption of business operations.
Low Source of threat has no proven capacity to cause
significant injuries to personnel or significantly affect any business operations.
CALCULATING THREAT LEVEL
Intent/Potential
Little/
Improbable
Expressed/
Probable
Determined/
Likely
Capability/Capacity
Extensive Moderate High Extreme
Moderate Low Significant High
Low Low Moderate Significant
ENTERING THREAT DATA INTO HAWK SIGHT
There are 2 ways to enter Threat Data into your project: Adding/Editing Threats Manually to the
Hawk Sight database Selecting pre entered Threats from the
Hawk Sight database
ENTERING THREAT DATA INTO HAWK SIGHT
THREAT DATA PAGE
ADDING/EDITING THREATS MANUALLY
USING PRE ENTERED THREATS FROM THE DATABASE
THREAT DATA PAGE
THREAT DATA SELECTION
CRITICAL ASSET ASSESSMENT
Lesson 5
WHAT IS A CRITICAL ASSET ASSESSMENT?
“The Criticality Assessment attempts to prioritise organisational infrastructure, asset or elements by
relative importance or dependence on that element”
SRMBOK2008. p 154
WHAT ARE CRITICAL ASSETS?
Critical Assets are characterised as:
People Physical Property Information Information &
Communication Technologies (ICT)
HOW CAN WE DEFINE PROJECT ASSETS?
3 Steps:1. Gain an overall understanding of what
the project objectives2. Breakdown the processes involved in
achieving these objectives (Process Mapping)
3. Identify the People, Physical Property, Information and ICT that are needed to support these objectives
ESTABLISHING CRITICALITY
We must consider the impact of the loss of functionality of the asset and the associated impact on the relevant process. Loss of the asset is assessed in terms of: Cessation of critical process Short term recovery capability Serious or prolonged reputation
damage
ESTABLISHING CRITICALITY
Criticality is Assessed as:
Extreme High
SignificantModerate
Low
ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT
ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT
DEFINING IMPACT
ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT
Haulage operations from Karachi, Pakistan to Helmand, Afghanistan
ASSIGNING THREAT TO AN ASSET
Haulage operations from Karachi, Pakistan to Helmand, Afghanistan
ASSIGNING THREAT TO AN ASSET
ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET
Haulage operations from Karachi, Pakistan to Helmand, Afghanistan
ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET
CONSEQUENCE CRITERIA DEFINED IN LESSON 3 – PROJECT CONTEXT
ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET
ASSIGNING TREATMENT OPTIONS
Tolerate the Risk- if, after controls are put in place, the remaining risk is deemed acceptable to the organisation, the risk can be retained. Transfer the Risk - this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc.Terminate the Risk - decide not to proceed with the activity likely to generate the risk.Treat the Risk – through implementation of preventative controls measures, policies & procedures, contingency planning, disaster recovery & business continuity plans
ASSIGNING TREATMENT OPTIONS IN HAWKSIGHT
CONTROL LEVEL EFFECTIVENESS ASSESSMENT (CLE)
Lesson 6
WHAT ARE SECURITY CONTROLS?
“Process, policy, device or other action that acts to minimise negative risk or
enhance positive opportunities”
AS/NZ4360:2004 Risk Management Standard p 342
SECURITY CONTROL TRIANGLE
Policy & Procedure
Physical &
Manpower Technology
ASSESSING CLE USING HAWK SIGHT
ASSESSING CLE USING HAWK SIGHT
ASSESSING CLE USING HAWK SIGHT
HAWK SIGHT SECURITY CONTROLS CHECKLIST
HAWK SIGHT SECURITY CONTROLS CHECKLIST
HAWK SIGHT SECURITY CONTROLS CHECKLIST
HAWK SIGHT SECURITY CONTROLS CHECKLIST
ASSESSING CLE USING HAWK SIGHT
SECURITY RISK ANALYSIS &
EVALUATION
Lesson 7
WHAT IS SECURITY RISK ANALYSIS?
To assess the Impact and Likelihood of each identified Threat against each Critical Asset to define the
Security Risk Level
HOW IS SECURITY RISK ANALYSIS CARRIED OUT?
Need to compare data gathered so far, namely:
Consequence Level – Lesson 3 Risk Tolerance – Lesson 3 Risk Response Level – Lesson 3 Target Attractiveness Level – Lesson 3 Business Resilience Level – Lesson 3 Threat Level – Lesson 4 Critical Asset Level – Lesson 5 Control Level Effectiveness Level – Lesson 6
STEP 1 –PRE-INCIDENT VULNERABILITY (V1)
Target Attractiveness
ControlLevel
Effectiveness
Low Medium Significant High Extreme
Unsatisfactory 6 7 8 9 10
Weak 5 6 7 8 9
Satisfactory 4 5 6 7 8
Good 3 4 5 6 7
Excellent 2 3 4 5 6
STEP 2 –ASSESSING LIKELIHOOD
Threat Level
Pre Incide
nt Vulnerability (V1)
Low Medium Significant High Extreme
Extreme 6 7 8 9 10
High 5 6 7 8 9
Significant 4 5 6 7 8
Moderate 3 4 5 6 7
Low 2 3 4 5 6
STEP 3 –ASSESSING IMPACT
Consequence Level
Business
Resilience Level
Minimal Minor Moderate Major Catastrophic
Extreme 6 7 8 9 10
High 5 6 7 8 9
Significant
4 5 6 7 8
Moderate 3 4 5 6 7
Low 2 3 4 5 6
STEP 4 –DEFINING RISK LEVEL
EVALUATING IDENTIFIED SECURITY RISKS
SECURITY RISK ANALYSIS USING HAWKSIGHT
SECURITY RISK ANALYSIS WITH HAWKSIGHT
SECURITY RISK REGISTER
SECURITY RISK TREATMENT
Lesson 9
AS LOW AS REASONABLY PRACTICABLE(ALARP)
HAWKSIGHT SIMULTATOR
HAWKSIGHT SIMULTATOR
HAWKSIGHT SIMULTATOR
CORPORATE SECURITY CAPABILITY
PhysicalSecurity
PeopleSecurity
ICT Security
Information Security
SecurityManagement
SECURITY IN DEPTH
HIERARCHY OF CONTROLS
Eliminate
ASSET
Terminate the Risk
Transfer the Risk
Policy and Procedural Controls
Technology Controls
Physical Controls
Inform
ation
Peop
le
ICT
Phys
ical
JAMES REASON’S SWISS CHEESE MODEL
Deter
Detect
Delay
Respond
Recover
James Reason’s Swiss Cheese Model
REPORT WRITE UP
WORD TEMPLATE
FINAL EXERCISE
Lesson 9
FINAL EXERCISE
Run you own SRA and compare your findings with mine….
The following slides will give you the information you require.
ADMIN USER FUNCTION