Srm And Asset Protection V1.0

1,052 views
988 views

Published on

Best Practices in Security Risk Management

Published in: Business, Economy & Finance
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,052
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Srm And Asset Protection V1.0

  1. 1. Kuala Lumpur, June 17, 2008 Booz & Company 6th Regional Professional Security Conference 17th & 18th June 2008 Kuala Lumpur, Malaysia Security Risk Management & Asset Protection Better Practices Presented by Paul Curwell
  2. 2. Learning Objectives Understand the basic concepts involved in Security Risk Management and how they can be applied to asset protection Gain an appreciation of the range of methodologies available Understand why and how specific methodologies are used Understand the distinction between Security Risk Management activities conducted for systems and processes versus organisations Understand the relationships between Security Risk Management and Business Continuity Management Know where to go for further information 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 1 SRM and Asset Protection v1.0.ppt June 17, 2008
  3. 3. Content Introduction Basic Principles Relevance Case Studies Additional Resources 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 2 SRM and Asset Protection v1.0.ppt June 17, 2008
  4. 4. Introduction 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 3 SRM and Asset Protection v1.0.ppt June 17, 2008
  5. 5. Today, organisations face a new operating reality affecting the safety, security and continuity of their business Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 4 SRM and Asset Protection v1.0.ppt June 17, 2008
  6. 6. Operational complexities have outpaced most operational risk management practices Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 5 SRM and Asset Protection v1.0.ppt June 17, 2008
  7. 7. The result of these operational complexities, and the speed at which they develop, can be referred to as the ‘resilience gap’ Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 6 SRM and Asset Protection v1.0.ppt June 17, 2008
  8. 8. This resilience gap, and the move towards networked operating models, presents new challenges for OpRisk management Operational Risk Management involves numerous techniques which address both loss reduction and event avoidance Basel Committee Operational Risk Basel Committee Operational Risk – Operational risks result from inadequate or failed internal Loss Event Groups 1 Loss Event Groups 1 processes, systems, people or from external events 1. Internal Fraud 1. Internal Fraud – Examples of operational risks include technology risk, 2. External Fraud 2. External Fraud legal risk, security risk and compliance risk 3. Employment practices and 3. Employment practices and workplace safety workplace safety Operational Risk is characterised by unpredictable, 4. Clients, products and business seemingly random events. 4. Clients, products and business services services – This is because operational risks range from extremely 5. Damage to physical assets 5. Damage to physical assets common, to extremely rare, such as 1:100 year and 6. Business disruption and system 6. Business disruption and system 1:1,000 year events failures failures – For these types of risk, it is quite plausible that no data 7. Execution, delivery and 7. Execution, delivery and exists to calculate their magnitude or impact management process management process 1 Alvarez, G. (2002) “Operational Risk Event Classification” 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 7 SRM and Asset Protection v1.0.ppt June 17, 2008
  9. 9. Of particular concern in operational risk management is the management of risks categorised as high impact, low probability Figure 1: Four categories of Because of their scarcity, high impact, low ‘Operational Risk Event” probability operational risks typically lack data on likelihood, detailed insights as to how they may develop, and what the implications may be Low impact, low probability and low impact, high High Impact High Impact probability risks are typically more manageable Low Probability High Probability because of the availability of data, enabling more informed risk-based decision making Impact Low Impact Low Impact Low Probability High Probability Probability 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 8 SRM and Asset Protection v1.0.ppt June 17, 2008
  10. 10. Basic Principles Definitions Steps in Security Risk Management Treating Security Risks 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 9 SRM and Asset Protection v1.0.ppt June 17, 2008
  11. 11. Security Risk Management Definitions Risk: The chance of something happening that will have an impact upon objectives. Measured in terms of likelihood and consequence. Vulnerability: Any weakness that can be exploited by an aggressor to make an asset susceptible to change. Threat: Anything that has the potential to prevent or hinder the achievement of objectives or disrupt the processes that support them; a source of, or potential for harm to occur; a source of risk. Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event. Likelihood: Used as a general description of chance, probability or frequency of an event occurring. Source: HB167:2006 ‘Security Risk Management’, Standards Australia 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 10 SRM and Asset Protection v1.0.ppt June 17, 2008
  12. 12. Step 1 in Security Risk Management process is developing a comprehensive understanding of the business and its environment Establish Context The objective of establishing the context is to develop a comprehensive understanding of the Understand the organisational structure business and its drivers What are the key earnings drivers? – This is critical to the identification, analysis, – Does a large proportion of the business evaluation and treatment of risks revenue result from a small number of business activities? Think across the business, considering: Understand, and preferably map process – Physical interactions (i.e. business to flows within the organisation business, business to customer etc) – Interactions which occur via an ICT interface Identify and map critical interdependencies Understand the organisations strategic and operational objectives Understand, and preferably map, the organisations external networks and interdependencies – This includes supply and distribution chains 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 11 SRM and Asset Protection v1.0.ppt June 17, 2008
  13. 13. Step 2, Risk Identification, aims to generate comprehensive insights into risks facing the organisation How could the risk happen? Risk Identification Methods include: – Sources of risk Checklists Why could the risk happen? – Causes of risk Professional Judgement – Presence or absence of risk treatments or controls designed to mitigate the risk Flowcharts What could happen and what might the associated Brainstorming consequences be? Systems Analysis Where could the risk happen? – Physical location Scenario Analysis When could the risk happen? Groups of experts – E.g. can the risk only occur at specific times? Modelling and simulation Who could / must be involved in the specific risk event? Fault tree analysis – E.g. individuals, business units, etc Event tree analysis 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 12 SRM and Asset Protection v1.0.ppt June 17, 2008
  14. 14. Step 3: Risk Analysis uses available information to determine an event’s probability and the magnitude of its consequences (1/2) Security Risk Analysis starts with an evaluation of a threat against a specific vulnerability. This evaluation is informed by two activities: A Threat Assessment is concerned with identifying those events, – Threat Assessment; and, aggressors, attackers or adversaries – Vulnerability Assessment that can cause losses to organisational, community or individual assets1. The approach used to perform a risk analysis is dependent upon the type of activity concerned. – Security Risk Assessments on organisations typically utilise approaches which have a A Vulnerability Assessment basis in security intelligence considers how each of the credible threats (identified in the Threat – Security Risk Assessments on products or Assessment) can be realised against services (e.g. credit cards, pharmaceuticals, each critical asset2. welfare payments) typically utilise systems and processes which lend themselves to system or process engineering risk methodologies 1 HB167:2006 Security Risk Management 2 Ibid 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 13 SRM and Asset Protection v1.0.ppt June 17, 2008
  15. 15. Step 3: Risk Analysis uses available information to determine an event’s probability and the magnitude of its consequences (2/2) There are numerous risk assessment Selecting the Risk Analysis Methodology methodologies available. – The analyst must determine which Considerations for deciding which risk methodology is most appropriate assessment methodology to use can – The most appropriate model could be a hybrid include: which combines elements from different – Whether an organisation, process or methodologies system is under evaluation – Desired outcomes or objectives Remember that no two risk assessment – Analyst familiarity with the techniques activities will be identical. – Regulatory requirements – The most important consideration when – Existing practices within the organisation designing and/or selecting a risk assessment – Cost-benefit analysis methodology is being able to justify the – Availability of data (i.e. qualitative versus approach quantitative) – The approach must be reasonable and – Available timeframe to conduct the sufficiently robust to address potential legal assessment activity issues, such as negligence and liability, in the – Technical depth of the topic concerned event that a risk event arises 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 14 SRM and Asset Protection v1.0.ppt June 17, 2008
  16. 16. The Security Risk Management ‘equation’ illustrates how each component combines to generate a risk, which is then treated1 Risk Residual Risk Residual Risk - = Risk Treatment Risk Treatment Risk Likelihood Consequence Likelihood Consequence x Criticality Assessment + Probability Exposure Probability Exposure Threat Vulnerability x Threat Vulnerability + Intent Capability Intent Capability + + + Desire Expectations Knowledge Resources Skills Desire Expectations Knowledge Resources Skills 1 HB167:2006 ‘Security Risk Management’, Standards Australia 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 15 SRM and Asset Protection v1.0.ppt June 17, 2008
  17. 17. Step 4: Risk analysis concludes with each risk being rated so that decisions can be made about risk treatment priorities The purpose of risk evaluation is to group risks into three broad categories: – Broadly Acceptable – Tolerable (As Low As Reasonably Practicable) – Intolerable (i.e. catastrophic risks) The ALARP framework (right) can help with deciding which risks require treatment, which can be ignored (left untreated) and to what extent. Source: Security Risk Management Body of Knowledge 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 16 SRM and Asset Protection v1.0.ppt June 17, 2008
  18. 18. Example: A business’ annual revenue projections for the year are $850K, and it has approximately $2.2m in owners equity1 IIlllu ust strra attiiv vee • How many low impact losses might a company be able to tolerate? • What impact might a serious of loss event have on the business’ operating position for the next financial year? Likelihood Risk Acceptance and Financing: Risk events resulting in losses over $3m Risks up to $850K cause a catastrophic loss (cannot be can be retained (i.e. absorbed by firm) Risk Acceptance and Financing: not transferred; Risks resulting in losses over $850K, financed but under $2.2m, can be retained (losses can be through earnings) absorbed by Capital) 0 $4.5m $0 $2.25m $750K $1.5m $3m $3.75m Total losses over a one year period (consequence) 1 Adapted from Bank of International Settlements (2003). “Operational Risk Transfer across the Financial Sectors” 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 17 SRM and Asset Protection v1.0.ppt June 17, 2008
  19. 19. Step 5: Once an acceptable level of risk for the organisation has been determined, four options are available to treat risk Risk Reduction: Optimum level of resourcing Ultimately, the cost of security measures used to means balancing Cost of Security against Cost of Loss1 manage risk exposure should not exceed the cost of the loss resulting from an event, or combination of critical events Cost of security $ Reduce the risk: – Introduce controls to reduce the consequence or likelihood of the risk Optimum level Avoid the risk: x of security resourcing – Cease or change the activities which create the exposure to risk Share the risk: – Transfer part of the risk to a 3rd party, such as an insurer Cost of loss Accept the risk Time 1 Source: Protection of Assets Manual – Security Vulnerability 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 18 SRM and Asset Protection v1.0.ppt June 17, 2008
  20. 20. Relevance 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 19 SRM and Asset Protection v1.0.ppt June 17, 2008
  21. 21. In our increasingly complex and interconnected world, security, and by necessity security risk management, has never been so important The dynamic nature of criminal activity poses significant challenges to both private industry and Law Enforcement in terms of keeping pace with change. – Threats and vulnerabilities are a product of our global environment - social, political, economic, cultural and technological Emerging technologies typically have a radical impact on our environment. – They introduce additional complexity, making it hard to identify and manage vulnerabilities. – They provide new avenues for criminals to exploit, and typically present a low risk, high reward opportunity due to delayed detection and response. Many organizations fail to integrate security elements into new product development teams, meaning security is typically ‘added on’ rather than integrated into initial design concepts. – This approach typically increases the cost of implementing security whilst decreasing its effectiveness – This approach can also expose the organisation to unnecessary reputational risk 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 20 SRM and Asset Protection v1.0.ppt June 17, 2008
  22. 22. Security risks rapidly translate into catastrophic business continuity risks, threatening an organisation’s future viability Organisations are increasingly becoming Security and Business Continuity Risks1 interlinked, so one organisation’s vulnerability flows on to others in the value chain. IL LU ST – Many organizations fail to embed security risk RA management approaches across their Incident Losses TI VE business (horizontally and vertically) and 1982 - Johnson & Johnson $150m throughout the supply chain. – Product tampering (Tylenol I) – Where security risk management approaches 1986 - Johnson & Johnson $150m are implemented, there are often inconsistent – Product tampering (Tylenol II) levels of protection 1986 - Sandoz $85m – Fire and Pollution Factors such as increased technological 1988 - Norco $706m – Explosion and fire innovation, competition, consumer demand, 1988 - Pan Am $652m outsourcing and offshoring help accelerate the –Terrorism speed of business, impacting upon the 1992 - Commercial Union $2,170m timeframe companies have to identify and –Terrorism manage security risks 1 Knight and Pretty (2002). “Impact of Catastrophes on Shareholder Value”, Sedgwick Oxford. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 21 SRM and Asset Protection v1.0.ppt June 17, 2008
  23. 23. Case Studies Case Study 1: Security Risk in Electronic Banking Case Study 2: Security Risk Management in a Biotech Company Case Study 3: Strategic Security Risk Management in Banking 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 22 SRM and Asset Protection v1.0.ppt June 17, 2008
  24. 24. Case Study: Security Risk in Electronic Banking “Money Mules” are intermediaries, working between criminals who obtain funds illegitimately from bank customers (victims). Money mules are an essential element in the criminal transfer of money, including money laundering, with respect to the proceeds of online banking crime. Money mules are typically recruited through Using analytical and GIS mapping seemingly legitimate employment techniques, we profiled the typical ‘mule’ in opportunities. People typically work as Australia. These profiles could then be money mules for secondary employment. integrated into fraud detection systems, Characteristically, one mule will recruit providing additional monitoring for ‘high risk’ others from within their social network. individuals (potential mules). Mules must open bank accounts in their country of origin to transfer stolen funds to overseas criminal syndicates. Key Consideration: Money mules are a critical enabler as they Approaches to Security Risk Management are required to perpetrate online banking should not be limited to published standards. crimes across international borders. Often, complex risks cannot be addressed through ‘normal’ approaches. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 23 SRM and Asset Protection v1.0.ppt June 17, 2008
  25. 25. Case Study: Security Risk Management in a Biotech Company As knowledge-creating businesses, the majority of assets in a biotech company are intangible and therefore difficult to identify and protect. Many biotechnology companies are heavily engaged in R&D and also engage extensively with third parties through activities such as Joint Ventures. A biotechnology company had entered into a Research documentation has a significant joint venture with a vendor to commence impact on the ability to obtain a patent, trials on a new diagnostic test, with a view to which is the best way of recovering these taking the diagnostic to market. types of investments on R&D. This precluded the biotech from commercialising Recognising the value of the potential the diagnostic, pending a court hearing. opportunity, the vendor made a lucrative offer to hire the research team, unbeknownst to the research team’s employer. Key Consideration: In the absence of any controls, the research team only partially documented their Security risks are often industry, and research outcomes. Less than three weeks organisation specific. Unless identified early, after resigning, the research team had filed potentially catastrophic risks can easily be three separate patent applications. overlooked. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 24 SRM and Asset Protection v1.0.ppt June 17, 2008
  26. 26. Case Study: Quantifying Strategic Security Risk in Banking Financial Institutions, their customers and merchants represent lucrative targets for criminals. Conversely, law enforcement is typically required to provide a response to attacks against banks with little forewarning and inadequate time to understand the complex systems and environment. Australia’s banks and law enforcement By applying strategic intelligence techniques agencies wanted to identified potential global to a selection of key data indicators and technology-enabled financial crime [TEFC] using a scored and weighted algorithm, we (e.g. online banking fraud) hotspots. were able to quantitatively rank every country in the world with respect to its TEFC Early warning of potential high-risk countries risk status. would enable the implementation of more stringent controls around banking platforms. This information could also be used by law enforcement with respect to international Key Consideration: cooperation and training activities, especially in developing countries. Common security risk management methodologies are not always suitable. No previous attempts had been made to Innovative or hybrid approaches may be rank TEFC security risks in this manner. utilised provided they are defensible. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 25 SRM and Asset Protection v1.0.ppt June 17, 2008
  27. 27. Additional Resources References Sample Reports 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 26 SRM and Asset Protection v1.0.ppt June 17, 2008
  28. 28. Publicly available Security Risk Management resources include standards, manuals, handbooks and other useful references Standards – AS/NZS 4360:2004 Risk Management – BS7799 Information Security Management (ISO17799 and ISO27001) – Malaysian Standard ICS 03.100 Business Continuity Management – ISO/DIS 31000: Risk Management – Principles and guidelines on implementation (DRAFT) Manuals, Handbooks and Guidelines – Standards Australia - HB167:2006 Security Risk Management – RMIA - Security Risk Management Body of Knowledge – ASIS International Protection of Assets Manual – US Coast Guard - Risk Based Decisions Manual (2nd Edition) – ASIS International - General Guideline for Security Risk Assessment Books – Risk Analysis and the Security Survey (3rd Edition) 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 27 SRM and Asset Protection v1.0.ppt June 17, 2008
  29. 29. Numerous examples of Security Risk Management activities are publicly available which can be used to tailor your approach IL LU US Department of Energy - Vulnerability Assessment Methodology ST RA TI VE US Department of Homeland Security - Vulnerability Assessment Methodologies Report 2003 BASF Security Vulnerability Assessment (SVA) Methodology & Enhanced Security Implementation Management US Critical Infrastructure Assurance Office - Vulnerability Assessment Framework (1998) UK Serious Organised Crime Agency - Threat Assessment of Serious / Organised Crime 2006/07 EU Organised Crime Threat Assessment 2007 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 28 SRM and Asset Protection v1.0.ppt June 17, 2008
  30. 30. Thank you for your participation. Questions? Paul Curwell Booz & Company (Australia) Ltd. Level 7, 12 Moore St Canberra City ACT 2601 Australia Tel +61 2 6279 1966 Mob +61 413 593 074 Fax +61 2 6279 1990 Paul.Curwell@booz.com 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 29 SRM and Asset Protection v1.0.ppt June 17, 2008

×