Security Site Surveys and Risk Assessments

  • 5,193 views
Uploaded on

Looks at the necessity and methodology of conducting security risk assessments and site reviews

Looks at the necessity and methodology of conducting security risk assessments and site reviews

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
5,193
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
3
Likes
16

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Site Surveys It provides a logical and consistent methodology of quantifying and qualifying assets, vulnerabilities, impact and the associated risks Why? Tony Ridley Security Consultant [email_address]
  • 2.  
  • 3. Learning Principles What do you retain?
    • 5-10% of what you read
    • 10-15% of what hear
    • 30% of what you see and hear
    • 85% of what you teach others
  • 4. Risk Management
    • The process of selecting and implementing security countermeasures to achieve an acceptable level of risk at an acceptable cost
  • 5.
    • The potential for damage or loss of an asset
    Risk
  • 6. Asset
    • Any person, facility, material, information or activity that has a positive value to its owner. The assets may also have a given level of value to an adversary, as well as its owner, although the nature and magnitude of those values may differ dramatically
  • 7. Impact
    • The amount of loss or damage (tangible or intangible) that can be expected. This may be influenced by time or other factors
  • 8. Threat
    • Any indication, circumstance, or event with the potential to cause loss of or damage an asset. It can also be defined as the intention and capability of an adversary to undertake actions that would be detrimental to the interests of the asset owner
  • 9. Adversary
    • An individual, group, organization, or government that conducts, or has the intention and capability to conduct activities, that are detrimental to the owner and/or his assets. Adversaries may include the authorities of a host nation, third party nations, political or terrorist groups (including home-grown militants, animal rights activists, students, issue motivated groups and environmental organizations) and criminals
  • 10. Vulnerability
    • Any weakness that can be exploited by an adversary to gain access to an asset. A vulnerability may result from building characteristics, equipment properties; locations of people, equipment and buildings; operation and personnel practices; and personnel behavior
  • 11. Countermeasure/s
    • An action/s taken or a physical entity used to reduce or eliminate on or more vulnerabilities. The cost of a possible countermeasure may be monetary but it may also include certain non monetary costs, such as reduced operational efficiency, adverse publicity, unfavorable working conditions, and political consequences
  • 12. Cost-Benefit Analysis
    • Part of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected
  • 13. Stakeholders
    • Risk Manager / Security Professional
    • Adversary
  • 14. Risk Manager /Security Professional
    • Goals
      • Minimize damage to organization by adversary
      • Reduce, eliminate and/or control indicators
      • Apply security budget in most cost-effective manner
      • Minimize intelligence collection by adversary
  • 15. Risk Manager /Security Professional
    • Actions
      • Identify security vulnerabilities and indicators
      • Manipulate indicators to deceive adversary
      • Add countermeasures
      • Remove countermeasures
  • 16. Risk Manager /Security Professional
    • Constraints
      • Security budget
      • Expected damage (risk)
      • Needs of the organization
      • The law; Policies; requirements of contracts; etc
  • 17. Risk Manager /Security Professional
    • Payoff
      • Deter adversary
      • Minimize gain by adversary
      • Minim size intelligence collection by adversary
      • Detect adversary
      • Detain adversary
      • Minimize cost of security
      • Promote success of client
  • 18. Adversary
    • Goals
      • Maximize benefits derived from operations
      • Expected gain
      • Identify security vulnerabilities
      • Minimize the likelihood of detection; identification and/or apprehension
  • 19. Adversary
    • Actions
      • Identify targets for observation/collection
      • Carry out intelligence collection operations
      • Conduct collection operations
      • Conduct counter competition operations
      • Discredit security countermeasures
  • 20. Adversary
    • Constraints
      • Budget for intelligence
      • In-place countermeasures
      • Self imposed rules
      • Capabilities
      • Support for operations
      • Time on target
      • Exposure
      • Follow up actions
  • 21. Adversary
    • Payoff
      • Maximize collection operations
      • Maximize return/value of collection operations
      • Re-investment of resources
      • Expansion of operations
  • 22. Questions??
  • 23. Factor Analysis Risk Management Process Flow Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions Cost Analysis Benefit Analysis 1 5 4 3 2 6
  • 24. Step 1 Asset Identification Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions 1 5 4 3 2 6
    • To identify assets and loss impact:
    • Determine critical assets requiring protection
    • Identify undesirable events and expected impacts
    • Value/prioritize assets based on consequence of loss
  • 25. Asset Value
    • Exclusive Possession
    • Utility
    • Cost of Creation or Re-creation
    • Operational Impact
  • 26. Asset Classification
    • People
    • Activities and Operations
    • Information
    • Facilities
    • Equipment and Materials
  • 27. Centre of Gravity Decisive Points Decisive Points Conditions of service Wages Pricing Procedures Policy Client Complaints Vocabulary Equipment Competitor Actions Image Equipment and Materials Facilities Information Activities and Operations People Centre of Gravity
  • 28. Centre of Gravity Decisive Points Decisive Points Conditions of service Wages Procedures Policy Client Complaints Vocabulary Competitor Actions Adversary Equipment and Materials Facilities Centre of Gravity
  • 29. Asset/Event Impact Assessment Chart Equipment Facilities Information Activities People Impact Level Consequence of Event Potential Undesirable Events Critical Assets
  • 30. Impact-Level Decision Matrix Rating
    • Critical
    • Indicates that compromise to the assets targeted would have grave consequences leading to loss of life or serious injury to people
    • High
      • Indicates that a compromise to assets would have serious consequences resulting in loss of classified or highly sensitive data that could impair operations affecting national interests for a limited period of time
  • 31. Impact-Level Decision Matrix Rating
    • Medium
    • Indicates that a compromise to the assets would have moderate consequences resulting in loss of confidential , sensitive data or costly equipment/property that would impair operations affecting national interests for a limited period or time
    Low Indicates little or no impact on human life or the continuation of operations affecting operational security or company interests.
  • 32. Asset/Event Impact Assessment Chart High 2 Theft/ Damage to communications equipment Theft/Damage to transport fleet Equipment Medium 5 Destruction of buildings Damage/Destruction of Power supply Facilities High 3 Theft/Compromise of Classified Information Commercial Espionage Information Medium 4 Disruption to Project/Operations Disruption to Communications Activities Critical 1 Death Assault Accident/Injury/Medical Emergency People Impact Level Consequence of Event Potential Undesirable Events Critical Assets
  • 33. Impact Level Decision Matrix Low No No No No No Medium No/Yes No/Yes No/Yes No/Yes No/Yes High Yes/No Yes/No Yes/No Yes/No Yes/No Critical Yes Yes Yes Yes Yes Overall Impact Level 5 Destruction of buildings 4 Disruption to Production 3 Theft or compromise of information 2 Damage or theft of transportation 1 Injury or loss of life
  • 34. Questions??
  • 35. Step 2 Threat Identification Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions 1 5 4 3 2 6
    • To identify and characterize threats:
    • Identify threat categories and adversaries
    • Assess intent and motivation of adversary
    • Assess capability of adversary or threat
    • Determine frequency of threat-related incidents
    • based on historical data
    • Estimate degree of threat relative to each critical asset
  • 36. Threat Categories
    • Foreign Government/Military Agencies
    • Terrorists
    • Insiders
    • Outsiders
    • Environmental
    • Governmental/Political
    • Competitors
  • 37. Adversary Threats-Analysis
    • Motivation
    • Intentions
    • Capabilities
  • 38. Adversary Threats-Grouping
    • Terrorist
    • Criminal
    • Psychotic
    • Disgruntled Employee
    • Local community
  • 39. Adversary Threats-Motivation
    • Terrorist
      • Motivated by cause. Wants attention; the more public the attempt or attack, the better the results.
  • 40. Adversary Threats-Motivation
    • Criminal
      • Motivated by greed. Money is their primary goal
  • 41. Adversary Threats-Motivation
    • Psychotic
      • Motivated is unclear. Some sort of personal or job pressure has made them take action
  • 42. Adversary Threats-Motivation
    • Disgruntled Employee
      • Motivated by the desire to get even with the organization/company that wronged them.
  • 43. Adversary Threats-Motivation
    • Local Community
      • Motivated by gain, either financial or status. Generates support through family or ethnic ties with promises of riches or benefits. Feelings of disparity of distribution.
  • 44. Adversary Threats-Intent Criminal Employee Terrorist Indicators Wants Needs INTENT Adversary
  • 45. Adversary Threats-Capability Community Employee Criminal Terrorist Trashint Dataint Osint Imint Sigint Humint Capabilities Adversary
  • 46. Adversary Threats-History Employee Community Criminal Terrorist Successful Incidents Attempted Incidents Suspected Incidents History Adversary
  • 47. Adversary Threat-Tracking Community Employee Criminal Terrorist History (Incidents) Capability (Methods) Intent (Interest/Need) Adversary
  • 48. Threat Level Decision Matrix Low No Yes or No No Medium Yes or No No Yes High No Yes Yes Critical Yes Yes Yes Threat Level History Capability Intent
  • 49. Threat Level-Rating Criteria
    • Critical -Indicates that a definite threat exists against the assets and that the adversary has both the capability and intent to launch an attack, and that the subject or similar assets are targeted on a frequency recurring risk
    • High -Indicates that a credible threat against the asset exists, based on our knowledge of the adversary’s capability and intent to attack the asset and based on related incidents having taken place at similar facilities.
    • Medium- Indicates that there is a potential threat to the assets based on the adversary’s desire to compromise the assets and the possibility that the adversary could obtain the capacity through a third party who has demonstrated the capability in related incidents.
    • Low- Indicates little or no credible evidence of capability or intent, with no history of actual or planned threats against the assets
  • 50. Intelligence Cycle Collection Dissemination Direction Processing
  • 51. Operational Planning
    • Our planning is determined by our starting point.
    • Direction is specifically tasking assets to required information requirements.
    • Collection is the gathering of all such information from applicable sources
    • Processing is where the information is analyzed and comment added or cross checking is conducted.
    • Dissemination is the result of findings handed to the originating department/individual for their operational implementation.
  • 52. Questions??
  • 53. Step 3 Vulnerability Identification Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions 1 5 4 3 2 6
    • To identify and characterize vulnerabilities:
    • Identify potential vulnerabilities related to specific
    • assets or undesirable events
    • Identify existing countermeasures and their level of
    • effectiveness in reducing vulnerabilities
    • Estimate degree of vulnerability relative to each
    • asset and threat
  • 54. Vulnerabilities-General Issues
    • Building characteristics
    • Equipment properties
    • Personnel behavior
    • Locations of people, equipment and buildings
    • Operational and personnel practices
  • 55. Vulnerabilities-Categories
    • Physical
      • Compound perimeter security (gates, walls, fences, landscape, sewers, tunnels, parking area, alarms)
      • Compound area (CCTV, motion detectors, lighting)
      • Building perimeter (window, doors, shipping docks, shielded enclosures, access control, alarms)
      • Building interior (safes, locks, vents, building history)
  • 56. Vulnerabilities-Categories
    • Technical Vulnerabilities
      • Acoustic equipment
      • Secure telecommunications
      • RF equipment
  • 57. Vulnerabilities-Categories
    • Operational Vulnerabilities
      • Guard force
      • Personnel procedures
      • Operational Security issues (Essential Elements of Friendly Force Information EEFI, counter information plan, reporting or monitoring)
  • 58. Vulnerabilities-Existing Countermeasures Low Chain of command Critical Medium Continuous reviews High Vehicle checks Low Medium Security Awareness training Medium Low High Physical Guard force Medium Low Medium Alarms Low Door and locks Critical High Low Direct communication Low High Medium Low Specific training Low Critical High Corrective Policies Low Critical Protective Barriers Community Demonstration Information Theft Physical Attack Terrorist Bomb Existing Countermeasures
  • 59. Vulnerability Level Decision Matrix High No Yes No Critical No No No Medium Yes Yes Yes (Multiple) Low Yes Yes Yes (Single) Vulnerability Level Multiple layers of countermeasures Difficult to exploit? Vulnerable through one weakness?
  • 60. Vulnerability Rating Criteria
    • Critical -Indicates that there are no effective countermeasures currently in place and it would be extremely easy for adversaries to exploit weakness
    • High -Indicates that although there are some countermeasures in place there are still multiple weaknesses through which adversaries would be capable of exploiting the asset.
    • Medium -Indicates that there are effective countermeasures in place. However, one weakness does exist which adversaries would be capable of exploiting.
    • Low -Indicates that multiple layers of effective countermeasures exists and adversaries would have considerable difficulty exploiting the asset.
  • 61. Questions??
  • 62. Step 4 The Risk Assessment Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions 1 5 4 3 2 6
    • To assess risk and determine priorities for asset protection:
    • Estimate degree of impact relative to each critical asset
    • Estimate likelihood of attack by a potential adversary
    • or threat
    • Estimate likelihood that a specific vulnerability will be
    • exploited
    • Determine relative degree of risk: expected impact
    • (asset value) x likelihood of successful attack
    • (Threat x vulnerability)
    • Prioritize risks based on integrated assessment
  • 63. Overall Risk Assessment Destruction of property Fire Theft of goods Loss of equipment Medium Disruption to project / production YES / NO Low Medium Low Medium Low Medium High High Assault Accident / Injury / Medical Emergency Risk Acceptable? Overall Risk Vulnerability Rating Threat Rating Impact Rating Potential Undesirable Events
  • 64. Questions??
  • 65. Step 5 Cost-Benefit Analysis Assess Assets Assess Threats Assess Vulnerabilities Determine Countermeasure Options Assess Risks Make Risk Management Decisions 1 5 4 3 2 6
    • To identify countermeasures, costs and tradeoffs and
    • select a protection strategy:
    • Identify potential countermeasures to reduce
    • vulnerabilities
    • Identify countermeasures costs
    • Conduct countermeasures cost-benefit and tradeoff
    • analysis
    • Prioritize options and prepare recommendation for
    • decision maker
  • 66. Typical Countermeasures
    • Procedures
    • Equipment
    • Manpower
  • 67. Typical Countermeasures
    • Contractor guard force
    • Police representatives
    • Local liaison
    • Military representatives
    • Local Management
    • Operations Centre
    • Locking mechanisms
    • Window bars
    • Doors
    • Fences
    • Alarms/ Sensors
    • Hardware / Software
    • Badges
    • Lighting
    • Paper Shredder
    • Weapons
    • CCTV
    • Safe Haven
    • Vault
    • Access control
    • Security Policies
    • Security Procedures
    • Training
    • Awareness Programs
    • Legal Prosecution
    • Security Investigations
    • Polygraph
    • Disclosure statements
    • Personnel Transfer
    • Contingency / Emergency response planning
    • Operational Security Procedures
    • Rehearsals
    • Training policies
    • Audit control
    Manpower Equipment (Physical / Technical) Procedures
  • 68. Countermeasures Identification New Risk Level Countermeasures Options Related Vulnerabilities Existing Risk Level Undesirable Events
  • 69. Cost of Countermeasures Least Expensive Most Expensive COST Manpower Written Procedures Hardware $
  • 70. Cost of Countermeasures
    • Determining Dollar Cost Value of Countermeasures
      • Purchase
      • Maintenance
      • Repair
      • Replacement
      • Life-Cycle
    • Determining Cost in Other Terms
      • Inconvenience
      • Time
      • Personnel
      • Productivity Correlation
      • Current Losses
    • Analyze the Cost and Benefit of each option
      • Compared with value of asset
      • Value for money
    • Prioritize Countermeasures Options that Address Risk
  • 71. Countermeasures Options Package USD$50,000 High to Medium Overall Risk / Total Cost USD$5,000 High to Medium Community Engagement Sponsorship Community Projects Law Enforcement Liaison Community Unrest USD$15,000 High to Low Policies development Procedure implementation Training Liability Vehicle / Residence protection Armed assault USD$30,000 Critical to Medium Physical barriers Stand off areas Approach Inhibitors Bombing Cost Risk Level Reduced From/To Countermeasures Undesirable Events
  • 72. Risk Management Strategies
    • Avoiding Risk
    • Reducing Risk
    • Transferring Risks
    • Diverting Risks
    • Accepting Risks
  • 73. Shields’ Site Review Process Client’s Request for assistance / offer of services Operations Warning Order given Review Conducted Site Review Team dispatched Initial appraisal conducted Task de-brief and preliminary findings Report Construction Report submitted to Marketing and Management for review Operations feedback and confirm final draft Present findings Client Review Final Plan implemented
  • 74. Intelligence Cycle Collection Dissemination Direction Processing
  • 75. Questions??
  • 76. Conclusion
    • Risk Management is the foundation of ALL security planning processes, which in turn drives the security operations cycle.
    • If this step is not done accurately and professionally this will result in increased risk to both client and personnel and equipment deployed in support of such plans.
    • The format presented here is for high end sophisticated sites, however the principles remain relevant for even the most “straight forward” site.
    • Time spent in preparation is rarely wasted
  • 77. Site Surveys It provides a logical and consistent methodology of quantifying and qualifying assets, vulnerabilities, impact and the associated risks Why? Tony Ridley Security Consultant [email_address]