Mark Wylie - SECURECorp - Security Management System
-
Upload
informa-australia -
Category
Education
-
view
548 -
download
0
description
Transcript of Mark Wylie - SECURECorp - Security Management System
Campus & Student
Security Conference
Security Management
System
Mark Wylie
Principal
SECUREcorp Risk Management Services
Campus & Student Security
Learning the lessons of aviation safety
Minimal Security Redundancy Systems
Security latent conditions and causal analysis
Integrating Security Management System
Security Threat Commercial organisations always victims of criminal
activity - organised and opportunistic
Criminals using sophisticated methods and tools are
forever seeking to exploit weaknesses in an
organisation’s defence systems
Terrorist organisations are constantly evolving, planning,
unpredictable, financed and well equipped, generally
driven by geo-political and religious factors, but now
fuelled by a widening set of causal factors – poverty,
government corruption, oppressive regimes, social
upheaval, and the radicalisation of individuals and groups
People in non-security roles have a limited understanding
of what security does and can do
The Challenge
Contemporary threats of terrorism and organised crime
provide asymmetric and networked challenges that are
more difficult to respond to
Organisations suffer from an incapacitating event, or are
vulnerable to errors and violations and unknown threats
and risks that disrupt normal business
Coupled with organisational latent conditions, and the
limitations of people, only increases the opaque
weaknesses
Need to overcome the lure of technology as the panacea
People can be your greatest asset and greatest risk
Current Response …
The current security response is generally the
application of industrial age responses to current
information age problems
The traditional response of applying ever-increasing
levels of reactive security counter-measures, such as
people and technology, does not maximise risk
reduction
Security Opportunities Ansett Aviation experience - SMS
Easily applied to security – SeMS
Proactive System of Security that integrates key
elements and all stakeholders – balancing competing
perspectives and issues
• Safety Errors and Security Violations = both lead to loss
and harm
Prof James Reason’s accident causation models:
engineering, person, and organisational - demonstrates
how organisational decisions & systems are vulnerable
and lower resilience
OPEN
COMMUNICATION
THE GAPSDEFENCE
IN DEPTH
POOR WORK PRACTICES
& IT SYSTEMS
ETHICAL
CULTURE
GOOD MANAGEMENT
Loss &
Harm
NON COMPLIANCE -
LACK OF AWARENESS
Proactive
Approach
NO REPORTING &
FOLLOW UP
AUDIT CONTROLSOPERATIONAL
PRESSURES & NO
ACCOUNTABILITY
ABROGATION OF
RESPONSIBILITY
POLICIES & PROCEDURES
Professor James Reasons’ Model of Systemic Failure
can be applied... Latent conditions combine with
people frailty
REASON’S MODEL
Safety v Security: Parallel, Independent
Redundancies Ensure Safety
Flight plans
Mutual Monitoring
Procedures
Checklists
Crosscheck
Training
CRM
Back-up systems
Alerts & warnings
Readbacks
SOPs
Automation
Redundant hardware
Redundant software
Manual reversion modes
Pre-flight Wx forecast
Inflight Wx/PiReps
Wx radar, Pilots’ eyes
GPWS, MSAW, TCAS
… against threats to safety that are neither deliberate
nor the result of intelligence and planning
Instrument scan
Alerts & warningsMutual Monitoring
Sandra Hart. NASA – AMES Research Center
Safety vs Security: The security “net” is
vulnerable because it lacks redundancy
Threat Vectors
Nodes in the Security Net
… against threats to security that are ill-defined, evolving,
covert, and the result of deliberate and intentional actions
Sandra Hart. NASA – AMES Research Center
Latent ConditionsSMS identifies Latent conditions - recurring nightmares:
They arise from decisions made years earlier by senior
mgt, regulators, designers – People (limitations)
Float around the ether, like pathogens in a body - looking
to infect clean cells – become unknown causal factors
A decision is made to implement a risk treatment to
control an assessed risk event, but no foreseeability of
the impact of the treatment = Increased Risk
They combine with front line error - Longford Gas Plant
explosion 1998
Need Causal Analysis
Causal Analysis
SMS demands identification of underlying causal factors,
not symptoms – many methods
An important context and approach that could assist is:
Hindsight – ‘knew-it-all-along effect’ = inclination, after
the event, to see it as having been predictable, despite
no objective basis for predicting before the event
Insight – understanding the causes and effects in a
specific context
Foresight – prescience, knowledge or insight of the
future
• Scenario analysis: considering alternative possible
outcomes
• Don’t replace one risk with a risk of another kind
Security Management System
How do we mitigate people limitations, unknown causal
factors, unforeseen catastrophic events?
One way is to implement SeMS
Key Features:
An explicit element of corporate management framework
- to establish a security posture and strategic intent
A structured and systematic means for an organisation
to achieve and maintaining high standards of security
• Strategy, Structure, Systems, Resources, Capabilities
A business like approach - alignment with commercial
objectives, governance and regulatory compliance
Security Management System
Key Features …
Security managers are business managers with security
expertise
Shared accountability - multiple stakeholders
contributing cross-functionally
Nudges security culture
Can reduce the negative impact of:
• Departmental Silos
• Disconnect between senior mgt, middle mgt and
employees
Business
Planning Sales &
DistributionOperations Support
…Can be addressed across an organisation in different areas, at different levels and
with a different focus…
DESIGN & BUILD IMPLEMENT PREVENT
• Executive Support
• Strategic intent
• Structure & roles
• Product & Services
• Policy, Communications
& Training
• Change mgt model
• Cross-functional links
• Risk mgt
• QA - Audit
• Policy, procedures & work
practices
• Reporting & trend analysis
• Investigation, causal
analysis & reporting
• Reviews
• Projects
• Education &
Awareness
• Stakeholder relations
• Evaluate performance
& modify
Security Management System
SECURITY MANAGEMENT SYSTEM
STRATEGY &
ALIGNMENT
STRUCTURE &
ACCOUNTABILITY
MANAGEMENT
SYSTEMS
RESOURCES &
CAPABILITIES
Programs & Activities
Implementation
Confidential Reporting
Training & Awareness
Program
Security Data Analysis
Operational Reviews
& SeMS Audits
Risk, Quality, Tech, HR,
Audit, HF
Security Promotion
Strategic Intent
Cross-Functional
Implementation
Management Security
Committees
Security Organisation
Structure
Line Management Roles
& Accountability
Emergency Response
& BCM
Technology & Labour
Performance
Change Management
Methodology
Investigations &
Causal Analysis
Policy, Procedures &
Work Processes
Knowledge, skills &
experience Exec Management
Commitment & Promotion
Security Culture
Corporate Security
Governance
Planning, Goals &
Objectives
Programs, Activities &
Tools Design
Chief Security Officer
Regulatory Compliance
Information
Dissemination
Document & data
control
Security Maturity?
Technology
Discipline
Science?
Causal analysis -
future scenario
analysis
Reactive linear focus
responding to single
incidents & no analysis
Trend analysis of
security breaches
Human Factors
– Error Mgt
Automation - lure
of technology
panacea
Security Mgt
System
Causal analysis of
security breaches
Perceptions of Security - 2014
MAcceptance Marketing+
Product & service
development Security sign-off
Questions
Contact:
Mark Wylie
Principal
SECUREcorp Risk Management Services
M: 0431 646 762