Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RiskWatch for Physical & Homeland Security™


Published on

RiskWatch for Physical and Homeland Security™ assists the user in conducting automated risk analyses, physical security reviews, audits and vulnerability assessments of facilities and personnel. Security threats addressed include crimes against property, crimes against people, equipment of systems failure, terrorism ,natural disasters, fire and bomb threats. Question sets include entry control, perimeters, fire, facilities management, guards, including a specialized set of questions for the maritime/shipping industry. New ASP functionality allows the organization in question to put the entire questionnaire process on it\'s server, where users can easily log in by ID # and answer questions appropriative to their job. From there, all answers are instantly imported into the RiskWatch for Physical and Homeland Security™ program.

Published in: Technology, Business
  • Login to see the comments

RiskWatch for Physical & Homeland Security™

  1. 1. Software for Physical & Homeland Security R ISK W ATCH ®
  2. 3. The Environment - Overview <ul><li>Management Accountability & Regulatory Compliance </li></ul><ul><ul><li>Sarbanes Oxley has increased the accountability of management </li></ul></ul><ul><ul><li>GRC & Physical Security </li></ul></ul><ul><ul><li>Increase in terrorism around the world has hit multi-nationals </li></ul></ul><ul><ul><li>Cargo security and the Supply chain requires risk analysis </li></ul></ul><ul><ul><li>Workplace violence continues to affect U.S. companies </li></ul></ul><ul><li>Information Technology </li></ul><ul><li>Convergence of IT and Physical Security is here! </li></ul><ul><ul><li>IT has become the important part of most organizations </li></ul></ul><ul><ul><li>New international standards for physical security include </li></ul></ul><ul><ul><li>IT considerations for electronic documents. </li></ul></ul>
  3. 4. What Is Risk Assessment compared to a Site Survey ? <ul><li>A process used to determine what controls are needed to protect critical or sensitive assets adequately & cost-effectively </li></ul><ul><li>The process examines five variable functions: </li></ul><ul><ul><li>1. Specific Assets to be protected (value) </li></ul></ul><ul><ul><li>2. Potential Threats to the various assets </li></ul></ul><ul><ul><li>3. Vulnerabilities that would allow the threats to materialize </li></ul></ul><ul><ul><li>4. Kinds of Losses that the threats could cause </li></ul></ul><ul><ul><li>5. Safeguards that would reduce the loss or eliminate the threats </li></ul></ul>
  4. 5. The Risk Assessment Process Automated Survey Management Process Management Data Aggregation & Analysis Content (Rules & Data) Risk Analysis Customization Reporting Respondents Analyst
  5. 6. Increased Requirements for Security Risk Assessments <ul><li>Corporations and government auditors </li></ul><ul><li>are instituting requirements or expecting that companies will perform security risk assessments . The Board and senior management are being held accountable to make sure they have done everything possible to protect the organization, including doing regular risk assessments. Assessments can include identification of threats, vulnerabilities, and an analysis of security gaps and mitigation strategies including requirements to identify the most critical assets and propose plans to protect core business functions and human assets. </li></ul>
  6. 7. WHAT’S RISKWATCH? <ul><li>Since 1993, RiskWatch has been the Leader in Security Risk Assessment Software </li></ul><ul><li>NIST-CSE Model Builder’s Workshop on Risk Assessment & the NSA Rating Model Workshops 1988 - 1995 </li></ul><ul><li>Participated in the Working Group to Write DOD Directive on Risk Management under the Office of the Secretary of Defense, 1996-1998. </li></ul><ul><li>Participated in Dept. of Justice Working Group on Vulnerability Assessment Models for Homeland Security, 2003 </li></ul><ul><li>ASIS International, ITSC Council - Caroline Hamilton </li></ul><ul><li>IBM Data Governance Council – Caroline Hamilton </li></ul>
  7. 8. RiskWatch Uses Compliance Regulations, Standards and Guidelines <ul><li>Physical Security </li></ul><ul><li>FEMA 426 – Protecting Buildings Against Terrorism </li></ul><ul><li>C-TPAT (Customs and Border Protection) </li></ul><ul><li>NIPP - Nat’l Infrastructure Protection Plan </li></ul><ul><li>GSA-GPS-P100 </li></ul><ul><li>Military Handbook 1013/14 </li></ul><ul><li>ASIS Threat Guidelines </li></ul><ul><li>Army Field Manual Best Practices </li></ul><ul><li>Hospital Physical Security </li></ul><ul><li>Joint Commission 2007 </li></ul><ul><li>IAHSS </li></ul><ul><li>Environment of Care </li></ul><ul><li>Campus & School Security </li></ul><ul><li>FEMA 428 - Primer for Safe Schools Federal Information Systems NIST 800-53 , NIST 800-53 Coming Soon -- NIST 800-53A </li></ul><ul><li>Information Systems & ISO Security </li></ul><ul><li>ISO/IEC 17799:2005 </li></ul><ul><li>ISO/IEC 27001 </li></ul><ul><li>COBIT 4 </li></ul><ul><li>PCI - Payment Card Industry </li></ul><ul><li>PCI-DSS Data Security Standard </li></ul><ul><li>Financial & Regulatory Compliance </li></ul><ul><li>GLBA (Gramm Leach Bliley Act) </li></ul><ul><li>FFIEC Information Security and for Risk Analysis </li></ul><ul><li>Red FLAG (Identity Theft) </li></ul><ul><li>BSA-AML - Bank Secrecy Act </li></ul><ul><li>Sarbanes Oxley Act </li></ul><ul><li>HIPAA Compliance </li></ul><ul><li>HIPAA Privacy & Security </li></ul><ul><li>NIST 800-66 </li></ul><ul><li>Electric & Nuclear Compliance </li></ul><ul><li>NERC – CIP 002-009 ( North American Electric Reliability Council) Critical Infrastructure Protection </li></ul><ul><li>FERC - Federal Energy Regulatory Comm.) </li></ul><ul><li>Nuclear Power Generators -- NRC & NEI </li></ul>
  8. 9. The Most Critical Systems in the U.S. Use RiskWatch - The Nuclear Industry <ul><li>NRC through the U.S. Defense Dept. (TWSG) funded the development of a specialized Cyber Risk Assessment tool for Nuclear Power Plants to meet NEI 04-04. </li></ul><ul><li>RiskWatch, Inc. was chosen to engineer and develop the software. </li></ul><ul><li>Software was delivered and RiskWatch is currently developing a Physical Security version for the NRC under TWSG. </li></ul>
  9. 10. R ISK W ATCH ® <ul><li>Includes convergence and computerized physical controls. </li></ul><ul><li>Incorporates continually updated regulatory requirements and guidelines (FEMA, GSA-PBS, etc.) </li></ul><ul><li>Guides and assists user through the entire process </li></ul><ul><li>Easily customized by the user right on the screen. </li></ul><ul><li>Identifies and quantifies risk by using the relationships between asset, threats, loss probability and vulnerability </li></ul><ul><li>Automatically produces complete risk assessment reports for security directors, business managers and executive management. </li></ul>A comprehensive, affordable and easy to use software tool that automates the surveying, data collection, analysis and reporting for physical security risk assessments and risk management.
  10. 11. Analyst has Total Assessment Flexibility <ul><li>Allows users to conduct a variety of risk assessments: </li></ul><ul><ul><li>Vulnerability Assessment Only </li></ul></ul><ul><ul><li>Risk Assessment Only </li></ul></ul><ul><ul><li>Both Vulnerability & Risk Assessment </li></ul></ul><ul><ul><li>With financial data or without </li></ul></ul><ul><ul><li>With Return on Investment Data or w/o </li></ul></ul>
  11. 12. RiskWatch Software Solutions <ul><li>RiskWatch for Physical & Homeland Security </li></ul><ul><li>RiskWatch for Hospital Security </li></ul><ul><li>RiskWatch for C-TPAT </li></ul><ul><li>RiskWatch for Safe Schools </li></ul><ul><li>RiskWatch for NERC & FERC </li></ul><ul><li>RiskWatch for Information Systems/ISO 17799 </li></ul><ul><li>RiskWatch for Financial Institutions & Credit Unions </li></ul><ul><li>RiskWatch for HIPAA Compliance </li></ul><ul><li>RiskWatch for Casinos & Gaming </li></ul><ul><li>RiskWatch for PCI </li></ul><ul><li>CASEWORKS </li></ul>
  12. 13. RiskWatch Clients             
  13. 14. APPROACH TO GOOD SECURITY <ul><li>“ The approach to good security is fundamentally similar regardless of the assets being protected. As GAO has previously reported for homeland security and information systems security, applying risk management principles can provide a sound foundation for effective security whether the assets are information, operations, people, or facilities. These principles have been followed by members of the intelligence and defense community for many years. </li></ul>GAO-02-687T National Security
  14. 15. RiskWatch is The First Choice in Security Risk Assessment Software <ul><li>Proven Methodology - Field Tested with Users for over Ten Years. </li></ul><ul><li>Automated Survey Utility </li></ul><ul><li>Completely Customizable by Users </li></ul><ul><li>Gartner Group approved </li></ul><ul><li>First Choice for Top Tier Consultants </li></ul><ul><li>Based on the latest Federal and Audit Standards </li></ul>
  15. 16. Why RiskWatch Stays Number One <ul><li>“ What sets RiskWatch apart from its competitors is its focus on risk analysis for security management, its ability to handle large volumes of information, and its large number of customizable features”. -- The Gartner Group </li></ul><ul><li>Hundreds of Users </li></ul><ul><li>Includes Project Plan </li></ul><ul><li>Complete Technical Support </li></ul><ul><li>Comprehensive Training Programs Monthly Regularly scheduled training in Annapolis On-site custom training is also available. </li></ul>
  16. 17. R ISK W ATCH ® Value <ul><li>Reduces time involved in performing a Risk Analysis by 70% </li></ul><ul><li>Users are able to customize software to fit their own profile </li></ul><ul><li>Guaranteed to meet/exceed standards and requirements </li></ul><ul><li>Automates the survey process – finds weaknesses in security (information and physical) to discover non-compliance </li></ul><ul><li>Quantifies risk and provides ROI metric based on safeguards selected </li></ul><ul><li>Automatically generates a complete management-ready case summary report </li></ul>
  18. 19. Progress at a Glance -- Tracking the Case
  19. 20. Auto- Populate Asset Values
  20. 21. RISKWATCH PROVIDES AGGREGATED THREAT DATA OR INPUT YOUR OWN ORGANIZATIONAL DATA SUCH AS INCIDENT REPORT DATA <ul><li>Quantified threat data is hard to find . </li></ul><ul><li>Categories of Threats: </li></ul><ul><li>Natural Disasters, Criminal Activity </li></ul><ul><li>Terrorism, Theft, Systems Failures </li></ul><ul><li>Collect data from Web Sources, government data, weather data, crime casts, global info services, access control systems, incident logs. </li></ul><ul><li>Use data from internally collected sources </li></ul>
  21. 22. Use the RiskWatch Standard Threat Data or Enter your own Site Specific Incident Data
  22. 23. Discovering Vulnerabilities through the Web-Based Surveys <ul><li>Vulnerabilities specific by organization </li></ul><ul><li>Can be completed only by the analyst </li></ul><ul><li>Or include key individuals </li></ul><ul><li>Web-Based surveys increase accuracy and speed of survey collection & aggregation </li></ul>
  23. 24. Question answers map up to over forty customizable vulnerability areas
  24. 25. <ul><li>Questions Follow Audit Format </li></ul><ul><li>Control Standard matches Question </li></ul><ul><li>Analyst Sets Threshold for Compliance </li></ul><ul><li>Questions Validate Compliance with Standards </li></ul><ul><li>Analyst can Add, Delete or Modify Questions </li></ul>Analysts Can Customize Questions or Add New Questions
  26. 27. Server-Based Questionnaires Make it Easy to Collect Information
  27. 29. Includes all Relevant Safeguards and Controls <ul><li>Alarm Systems </li></ul><ul><li>Background Checks </li></ul><ul><li>Barriers </li></ul><ul><li>Biometric Controls </li></ul><ul><li>Bomb Threat Procedures </li></ul><ul><li>Bomb Detection & Identification </li></ul><ul><li>CCTV Cameras </li></ul><ul><li>Disaster Recovery Planning </li></ul><ul><li>Emergency Response Planning </li></ul><ul><li>Entry Controls </li></ul><ul><li>Fire Controls </li></ul><ul><li>Guard Services </li></ul><ul><li>Incident Reporting </li></ul><ul><li>Incident Response </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Lock & Key Controls </li></ul><ul><li>Monitoring Systems </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Security Planning </li></ul><ul><li>Security Policies </li></ul><ul><li>Security Staff </li></ul><ul><li>Technical Surveillance </li></ul><ul><li>Training Programs </li></ul><ul><li>Visitor Controls </li></ul>
  28. 30. Contains More than 160 Controls, with default values for implementation and life cycles
  29. 31. Equipment Generators Facility Staff Warehouse Security Systems Visitors Related Loss Direct Loss Disruption Injury Intangibles Loss of Life Accident Shooting Vandalism Power Loss Theft Kidnapping Homicide Personnel Screening Controlled Areas Personnel ID No Private Area No Security Plan Poor Lighting Doors Management Asset Vulnerability Threat Loss Data Aggregation & Analysis Incident Class Incident Conditioned Incident Degree of Seriousness Risk = Asset  Loss  Threat  Vulnerability
  30. 32. RESULTS FROM THE RISK ASSESSMENTS CAN BE USED FOR BENCHMARKING AND INCLUDES A PRE-WRITTEN 14+ PAGE REPORT <ul><li>Measurable data which can be benchmarked </li></ul><ul><li>Prove validity of findings with full audit trails </li></ul><ul><li>Use of recognized statistical probability models </li></ul><ul><li>Designed to meet all current and new directives </li></ul><ul><li>Complete templated and customizable reports </li></ul>
  31. 33. MITIGATION STRATEGIES 1. Accept Risk 2. Transfer Risk 2. Mitigate Risk 3. Better Risk Reactions 5. Dealing with Residual Risk
  34. 36. Survey Answers Can be Shown by Job Title, or by Individual Name
  35. 37. Shows the Annual Loss Expectancy By Threat
  36. 38. Loss Expectancy is Also Shown by Asset Category Impact
  37. 39. The Report Details Loss Protection by Threat Category
  38. 40. RiskWatch Calculates the Return on Investment & Recommends Cost Effective Security Controls. In this example, finishing and updating the Disaster Recovery Plan had a 2000-1 ROI – that means for every dollar spent on updating the plan – the organization saves $2,000,000 <ul><li>Finish Disaster Recovery Plan 2000:1 </li></ul><ul><li>Finish the Security Plan 1200:1 </li></ul><ul><li>Complete Security Training 943:1 </li></ul>
  39. 41. Security Controls are Listed Recommended by Return On Investment
  40. 42. This Graph Illustrates how Implementing the Top 20 Controls will Contribute to a Cumulative Reduction in Loss Potential
  41. 43. The Bottom Line <ul><li>Security Risk Management Requirements will Continue to Increase and need to be standardized. </li></ul><ul><li>Measuring and Managing Security by Return on Investment gives you the ‘best bang for the buck’ </li></ul><ul><li>Using RiskWatch is the best way to meet security requirements , quantify areas of weakness, justify security controls, and manage and validate the security budget. </li></ul>
  42. 44. Caroline Hamilton 410-224-4773, x105 [email_address]