Principal Sponsor Sponsors Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot Graphics for...

Principal Sponsor

Sponsors

Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot

Graphics for Public Use

Security-In-Depth

Eliminate

Eliminate

Substitute

Isolate

Engineer

Administrative Controls

Personal Protection

PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES

CAPABILITYCAPABILITY

PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


Enablers

Regulation and PolicyTraining and Education

Operations and ApplicationGovernance and Oversight

Sustainability and Resilience

Strategic Knowledge Areas

ActivityAreas

Operational Competency Areas

Inte

grat

ion

Desig

n

Applic

atio

n

Assur

ance

Exposure

Risk

Resource

‘Quality’

SRM Integration

INTELLIGENCEPROTECTIVESECURITY INCIDENT

RESPONSE RECOVERY &CONTINUITY

Practice Areas

PhysicalPhysicalSecuritySecurity

PeoplePeopleSecuritySecurity

ICTICTSecuritySecurity

Information Information SecuritySecurity

SecuritySecurityManagementManagement

SRMBOK Framework

SRM & RM

http://www.jakeman.com.au/

DEFINED TERMS

RiskEvent

CONSEQUENCE

EFFECT

THREATS

HAZARD

SOURCE

RELATIONSHIPS

RiskEvent

CONSEQUENCE

EFFECT

THREATS

HAZARD

ESCALATIONFACTORS

ESCALATIONCONTROLS

THREATBARRIERS

ESCALATIONCONTROLS

CONSEQUENCEBARRIERS

ESCALATIONFACTORS

SOURCE

LIKELIHOODMANAGEMENT

CONSEQUENCEMANAGEMENT

Sample of integrated arrangements

RESILIENCE

Capabilities

Functions

Pe

op

le

Info

rma

tio

n

Ph

ysic

al

ICT

Operating Environment

Security-In-Depth

Eliminate

Eliminate

Substitute

Isolate

Engineer


Personal Protection

PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


Enablers





ActivityAreas


Inte

grat

ion

Desig

n

Applic

atio

n

Assur

ance

Exposure

Risk

Resource

‘Quality’

SRM Integration



Practice Areas






SRMBOK Framework

ASSETASSET

Security In Depth

Hierarchy of ControlsSource: NOHSC

Eliminate

ASSETS

EliminateSubstituteIsolateEngineerAdministrative ControlsPersonal Protection

OIL EXPLORATION EXAMPLEEliminate

ASSETS

E Don’t explore for oilS Mauritania not IraqI Staff in remote areas not city

E Fence, gates, armoured veh.A Policies, Travel safety trainingP Bullet-proof vests

PRACTICE AREASPhysicalSecurity

PeopleSecurity

ICT Security

Information Security

SecurityManagement

SRM QUADRUPLE CONSTRAINTS

Risk

Exposure

ResourcesQ

uality

As Low As Reasonably PracticableMagnitude of Risk

Intolerable levels of riskAdverse risks are intolerable whatever the benefits and risk mitigation measures are essential at any cost if activity is to continue.

As Low as Reasonably PracticableA level of risk that is tolerable and cannot be reduced further without expenditure ofcosts disproportionate to the benefit gained or where the solution is impractical to implement

Ideal levels of riskRisks are negligible, or so small that they can bemanaged by routine procedures and no additional risk treatment measures are needed.

Ris

k In

crea

sin

gC

os

t Inc

reas

ing

Intolerable

ALARP

Tolerable

Cost/Benefit of MitigationR

isk

Cost / Benefit ALARP

“A level of risk that is tolerable and cannot be reduced further without the expenditure of costs that are

disproportionate to the benefit gained or where the solution is impractical to implement”

Level of Risk

$, Resources, Effort

Co

st

Magnitude of Risk

Risk Equilibrium (Optimal Trade-Off)L

ow

er R

isk

H

igh

er R

isk

Exposure

Resources Quality

Intolerable

ALARP

Tolerable

Resources and Quality in appropriate proportion to the Exposures for end result of risk ALARP

Opportunities and threats in the prevailing environment (both known and unknown) that an entity could interact with.

The degree to which a set of inherent characteristics fulfils requirements.

Historical / Probability Insignificant Negligible Moderate Extensive Significant

Almost Certain 6 7 8 9 10

Likely 5 6 7 8 9

Possible 4 5 6 7 8

Unlikely 3 4 5 6 7

Rare 2 3 4 5 6

Risk Equilibrium (Optimal Trade-Off)Low

er

Ris

k H

igh

er

Ris

k

10

9

8

7

6

5

4

3

2

Resources

Quality

Exposure

Risk

Magnitude of Risk

Risk High if Resources & Quality LowLow

er

Ris

k H

igh

er

Ris

k

10

9

8

7

6

5

4

3

2

Resources

Quality

Exposure

Risk

Magnitude of Risk

Resources High but Quality LowLow

er

Ris

k H

igh

er

Ris

k

10

9

8

7

6

5

4

3

2

Resources

Quality

Exposure

Risk

KNOWLEDGE AREAS

Risk

Exposure

Resources Quality

KNOWLEDGE AREASRisk

Exposure

Resources Quality

Reduce

Increase

Security-In-Depth

Eliminate

Eliminate

Substitute

Isolate

Engineer


Personal Protection

PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


Enablers





ActivityAreas


Inte

grat

ion

Desig

n

Applic

atio

n

Assur

ance

Exposure

Risk

Resource

‘Quality’

SRM Integration



Practice Areas






SRMBOK FRAMEWORK

COMPETENCY AREAS

BusinessIntegration

FunctionalDesign

Implementation Assurance

SRM INTEGRATION

Strategic Knowledge AreasStrategic Knowledge Areas


SRM Integration



SRMBOK Activity Areas

Event

CONSEQUENCE

EFFECT

THREATS

HAZARD

BowTie Model

PPRR Model

P LANNING P REPARATIONR ESPONSE

R ECOVERY

ACTIVITY AREAS

HackingAttack

BANKR

UPTCY

DATA

LOSS

HACKING

WWW

PORTAL

CRIMINAL S

Bow Tie / ESIEAP IP Example

E I E A PS Eliminate need

to hold sensitive

information

Substitute Open Source

or less sensitive material

Maintain secrecy or in

secret location

Firewall, backups in safe,

etc

P/word policies, training,

etc

Patents, legal

defence, file

encryption

Activity AreasINTELLIGENCE

PROTECTIVESECURITY INCIDENT


Practice Areas









Practice Areas






ProjectManagers

RecoverClass. Docs.

Access Control

Psychologists

Technicians

IntelligenceProfessionals

Fraud Analysts

Investigators

Prison Officers

DecryptionSpecialists

IncidentController

Public Affairs

Firefighters

First Aider

Emergency Comms

Chief SecurityOfficer

IT Security Advisers

Close PersonalProtection

Vetting Officer

FirewallProgrammer




Practice Areas






ProjectManagement

RecoverClass. Docs.

Access Control

Peer SupportTraining

RestoreNetworks

IntelligenceProfessionals

Fraud Analysts

Investigators

Prison Officers

DecryptionSpecialists

IncidentControl

Public Affairs

Firefighter

First Aid

Emergency Comms

Chief SecurityOfficer

IT Security Advisers

Close PersonalProtection

Vetting Officer

FirewallProgrammer

Event

CONSEQUENCE

CONSEQUENCE

EFFECT

THREATS

HAZARD

HAZARD

EventEventEvent

CONSEQUENCE

CONSEQUENCE

EFFECT

THREATS

HAZARD

HAZARD

Links with Bow-Tie

ASSET AREAS

PHYSICAL

PROPERTY

PEOPLE

INFORMATION INFORMATIO

N &

COMMUNICATIO

N

TECHNOLOGIES


SRM ENABLERS

Regulation and Policy

Training andEducation

Operations andApplication

Governance& Supervision

Sustainability& Resilience

PHYSICAL

PROPERTY

PEOPLE

INFORMATION INFORMATIO

N &

COMMUNICATIO

N

TECHNOLOGIES

CAPABILITY

Security-In-Depth

Eliminate

Eliminate

Substitute

Isolate

Engineer


Personal Protection

PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


PHYSICAL

PHYSICAL

PROPERTY

PROPERTY

PEOPLE

PEOPLE

INFORMATION

INFORMATION IN

FORMATION &

INFORMATIO

N &

COMMUNICATIO

N

COMMUNICATIO

N

TECHNOLOGIES

TECHNOLOGIES


Enablers





ActivityAreas


Inte

grat

ion

Desig

n

Applic

atio

n

Assur

ance

Exposure

Risk

Resource

‘Quality’

SRM Integration



Practice Areas






SRM INTEGRATION

PICTURES PAINT A…

Targets and Hazards

Asset Attributes

AS/NZS4360:2004

Mo

nit

or

an

d R

ev

iew

TreatRisks

Residual Risk

SRMBOK Elements of the Security Risk Management Process

Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Co

mm

un

ica

te a

nd

Co

ns

ult

Treat Risks

Establish Security Criteria

Assess Existing Controls

Document 'Risk Statement'

Avoidthe Risk

Change Likelihood

ChangeConsequence

Sharethe Risk

Retainthe Risk

INTERNAL / EXTERNAL ENVIRONMENT

Intent

Hazard Attributes

Capability

Asset Targetability

Vulnerability

Threat(Intelligence based)

Likelihood(and/or Probability)

Consequence('Shock')

Risk Rating

Threat Actor Motivation

Risk Treatment Options

Suitability DeployabilityExposure (Duration)

Accessibility (of target)

Desire ConfidenceResources Knowledge

EffectivenessOpportunity

Threat Actor Attributes

Temporal Qualities

Recover-ability

Recognis-ability

Asset Attributes

E liminate the risk

S ubstitute the risk

I solate the asset

E ngineering controls

A dministrative controls

P ersonal Protective Equip.

Impact

ESIEAP (in order of preference)

Risk Prioritisation

Availability Criticality

SRM Maturity Model

Level 1 - INITIALCompliance approach with minimal or excessive ad hoc reactive practices, and

little awareness of SRM benefits

Level 2 - BASICInformal or unstructured SRM systems which

are focussed on loss prevention and threat mitigation

Level 3 - REPEATABLEStructured SRM built into routine management

processes with evident awareness of benefits at all levels

Level 4 - OPTIMISINGProactive SRM, resilience & opportunity realisation practiced at all levels as part of

competitive advantage

Application

Policy

Procedures

Security Instructions

Tools, Templates, etc

Systems

Re

po

rt,

Mo

nit

or,

Re

vie

w

Org

an

isa

tio

na

l G

oa

ls

Direction Execution

Vis

ion

& M

iss

ion

Imp

lem

en

tati

on

Tra

inin

g

Se

cu

rity

Ris

k A

ss

es

sm

en

t

Application

Enterprise Security Specifications (1)

Security Measure / Area Type

Threat/Risk Level

Low Moderate Medium High Extreme

Building Protection *SHOULD

Commercial grade alarm

MANDATORYCommercial

alarm - monitored

MANDATORYCommercial

alarm - monitored

MANDATORYEncrypted

alarm - monitored

MANDATORYEncrypted

alarm – encrypted monitoring

Intruder Resistant Area Encrypted Alarm system & peripherals

Secure Room

Type 1 Alarm system & peripheralsNOTES:* Sensor-activated halogen flood lighting should be installed at both the front and rear of the office/residence to illuminate the immediate grounds area. A command switch for the lighting shall be installed within the house for manual override or for manual use of the lighting.** For all Encrypted Intruder Alarm Systems (IAS):Detectors should cover all entrance and exit points. All perimeter doors should be protected with balanced magnetic reed switches. All SAS hardware is to be located in the controlled perimeterA Man-Machine Interface, (keypad), should be located within the residence in close proximity to the main entry door, and should provide for a 30-second delay on entry/exit. If power is lost to the residence, an uninterrupted power supply (UPS) or battery back up system should be used to provide power to the SAS for a minimum of four (4) hoursThe SAS should be monitored by a host country accredited monitoring station, in accordance with Australian Standard (AS) 2201 or an equivalent specificationThere should be written procedures in place in the event of an alarm. These may vary in accordance with operational requirements, but they must encompass instructions on contacting the staff and families, and a suitable response. Contingency plans should be put in place in the event of failure of the Type 1 SAS

Enterprise Security Specifications (2)

1 2 3 4 5VC S M M M M-CryptIMG S M M M-CryptPMV S M M M-CryptEsp. S M M-Crypt M-Crypt M-Crypt

THREAT LEVELS

Intruder Alarm System

Enterprise Security Specifications

1 2 3 4 5

VC S M M M M-Crypt

IMG S M M M-Crypt

PMV S M M M-Crypt

Esp. S M M-Crypt M-Crypt M-Crypt

VC S1 S22343-R1 2343-R2 2343-R2

IMG S 2343-R1 2343-R2 2343-R2PMV S 2343-R1 2343-R2 2343-R2Esp. S S M 2343-G0

VC M M M10 M11 M12

IMG M M M10 M11 M11

PMV M M M10 M11 M11

Esp. M M M10 M11 M12

10 Pick-resistant hardened

11 Pick-resistant hardened, controlled profile

12 Pick-resistant hardened, restricted profile, organisation-endorsed

THREAT LEVELS

Intruder Alarm System

Window Treatments

Locks

Enterprise Security Postures

SAFETY MEASURE

1 2 3 4 5

Briefings Upon induction/ recruitment plus on an annual basis, all staff are to be briefed on local security plans and on protective security measures/ practices.Intelligence & Staff Safety summaries provided on each country as required, but no less than quarterly.

All staff to be briefed on change of Alert Level and threat where known.All staff to be reminded to be vigilant/ inquisitive about strangers, to watch out for unidentified or unattended packages and vehicles.Monthly Intelligence & Staff Safety summaries provided on each country.

All staff to be briefed on change of Alert Level and threat where known.All staff to be advised of contingency and emergency response plans, and reminded to be particularly vigilant.Intelligence & Staff Safety summaries provided on each country as required but not less than weekly.

All staff to be briefed on change of Alert Level and specific threat.Intelligence & Staff Safety summaries provided on each country as required but not less than bi-weekly.

All staff to be briefed on change of Alert Level and specific threat.Intelligence & Staff Safety summaries provided on each country as required but not less than daily.

Uniform No restrictions on the wearing of uniform except that security passes are not to be worn outside of airports.

No restrictions on the wearing of uniform except that security passes are not to be worn outside of airports

No security restrictions on the wearing of uniform, unless the cabin crew manager imposes local restrictions.

No uniforms to be worn outside of airport precincts. Staff are to change within designated lounges.

Consider cancelling flights until Alert Level lowers. Otherwise as per Alert Level 4.

I nappropriate Acts

I nappropriate Acts

ErrorError Deliberate ActDeliberate Act

Pre-Conditions

Pre-Conditions

Environmental Factors

Environmental Factors

Condition of I ndividuals

Condition of I ndividuals

Personnel Factors

Personnel Factors

OversightOversight

I nadequate Supervision

I nadequate Supervision

Planned I nappropriate

Operations

Planned I nappropriate

Operations

Fail to Correct Known

Problem

Fail to Correct Known

Problem

Supervisory Violations

Supervisory Violations

Organisational I nfluences

Organisational I nfluences

Resource/ Acquisition

Management

Resource/ Acquisition

Management

Organisational Climate

Organisational Climate

Organisational Process

Organisational Process

Swiss Cheese Theory

Organisational Influences

Supervision & Oversight

Pre-Conditions

Inappropriate Behaviours

Door left open on a warm day

Air-con failed in warmweather due to inadequate maintenance contract

Culture of rule breaking and inadequate selection / training for managers & staff

Failed or Absent Barriers

Inadequate management interventionand training (procurement & security)

Principal Sponsor

Sponsors

Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot

Intellectual Property Rights and Copyright

These SRMBOK slides and graphics are provided for public and corporate use to assist in consistency of presentation. They may only be used in accordance with the following terms: • Use of the material must acknowledge and identify RMIA and JBS as

its owners and developers. Subscriber organisations or RMIA members have the right to adapt the product, and could do a self-assessment on their own or engage the services of consultants to help them carry out an assessment. Any adaptation must still continue to acknowledge and identify RMIA and JBS as the source of this product.

• The material may not be copied and furnished to others without the express written permission of RMIA, except as needed for the purpose of research as permitted under copyright legislation.

• The material is provided on an "as is" basis. RMIA disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose.

• Further information on SRMBOK procedures with respect to rights in RMIA specifications can be found at www.srmbok.com. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification, can be obtained from the RMIA President.

http://www.srmbok.com/

Principal Sponsor Sponsors Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot Graphics for...

Documents

Transcript of Principal Sponsor Sponsors Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot Graphics for...