Advancing the Science of Safety. A Holistic Approach To Effective Security Risk Management 3rd Annual IIRSM UAE Branch Symposium / AGM 2 nd May, 2018

Transcription

1 A Holistic Approach To Effective Security Risk Management 3rd Annual IIRSM UAE Branch Symposium / AGM 2 nd May, 2018

2 Introduction What is Security? The state of being free from danger or threat How is it different from safety? 2

3 Main challenges related to generic Security Management The Contest Understanding and accurately assessing the actual security risk profile. Adjusting to (potentially) continuously changing threat landscapes. Presenting an attractive value proposition to decision makers and demonstrating added value. Finding the right balance between effective security control measures and functionality/productivity, including a positive user experience (e.g. freedom of movement and activity for legitimate users). 3

4 Security Management Framework Key elements of an effective Security Management Framework Leadership engagement and support (throughout the organization) Conducive security culture (throughout the organization) Clear and concise guiding documentation (Legislation, Policies, Procedures, Standards etc.) Operational capability and capacity (competent and motivated personnel in sufficient numbers, robust security planning and design, reliable and fit-for-purpose security systems/equipment) 4

5 Communicate & Consult Monitor & Review Security Risk Management ISO 31000:2018 Risk Management Guidelines Establish the Context Risk Assessment Identify Risk Analyse Risk Evaluate Risk Treat Risk 5

6 Security Risk Management Examples of security risk assessment standards/guidelines: ANSI/API STD 780 Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries ANSI: American National Standards Institute API: American Petroleum Institute ASIS Risk Assessment Standard RA ASIS: American Institute for Industrial Security ISO27005 Information Security Risk Management ISO: International Standards Organization Etc 6

7 Security Risk Management 7

8 The Risk Management Process Step 1 - Establish the Context Defining the purpose, main aim and key objectives; Defining the scope and boundaries (inclusions/exclusions/limitations), including explanations and justifications; and Setting new, and/or understanding existing, risk tolerability criteria. 8

9 The Risk Management Process Step 2 - Identify Risk A risk description is formally defined in the ISO Guide 73 as a structured statement of risk usually containing four elements: Sources (the hazards/threats); Event (the risk scenario); Causes (the contributing/escalating factors); and Consequences (the impacts). 9

10 The Risk Management Process Examples of security related risks: Theft Damage Fraud Industrial Sabotage (physical, cyber, overt, covert) Unauthorized Access (not always a risk on its own ) Workplace Violence (harassment, assault, active shooter) LOSS OF, OR DAMAGE TO, ASSETS BUSINESS INTERRUPTION AND/OR DAMAGE TO REPUTATION LOSS OF INCOME/REVENUE OR ENTIRE BUSINESS 10

11 The Risk Management Process Risk = Consequence x Likelihood Analysis methods can include: Qualitative Semi-Quantitative Quantitative Step 3 - Analyze Risk 11

12 The Risk Management Process Step 4 - Evaluate Risk Evaluating risks against each other Evaluating risks against the risk tolerability criteria 12

13 The Risk Management Process Step 5 - Treat Risk Actual modification of risk commences during this step. Arguably the most important part of the risk management process in terms of actual change. Avoiding or eliminating the risk (stopping or not commencing an activity/condition) Reducing the risk (reducing consequence and/or likelihood) Transferring the risk (insurance, outsourcing) (Accepting the risk, taking into account the risk tolerability criteria) In general, actions that are identified during this step are either: Aimed at improving the effectiveness of existing control measures; or Aimed at introducing/implementing new control measures. 13

14 The Risk Management Process Communicate & Consult (throughout the process) Vital to communicate and consult with key stakeholders, subject matter experts and other people who can add value to the process, or will be impacted by the outcomes of it. 14

15 The Risk Management Process Changes in risk dynamics Eliminated risks New emerging risks Monitor & Review (ongoing) 15

16 Basic Security Management Principles Defense In Depth (D3R) Crime Prevention Through Environmental Design (CPTED) Based on the assumption that: Proper design and effective use of the built environment can lead to a reduction in the fear of crime and incidence of crime, and to an improvement in the quality of life. (Crowe, 2000) FOR ANOTHER TIME 16

17 Basic Security Management Principles Deter Detect Delay Respond (Recover) Defense In Depth (D3R) The Asset 17

18 Basic Security Management Principles Main Categories of Security Control Measures/Approaches Physical (signs, fences, walls, bollards, locks etc.) Electronic (video surveillance, intrusion detection, access control etc.) Procedural (security administration, guard force etc.) Cyber (procedural, technological) 18

19 Basic Security Management Principles The Roadmap A risk-based, fit-for-purpose system, where all components work together effectively. 19

20 Thank you. Q s? 20

21 Contact Attila Tamas For More Information Visit jensenhughes.com 21