EnergySec, profile picture
Uploaded byEnergySec
PPTX, PDF2,266 views

Keys to a More Successful Physical Security Program

An effective security program is a living thing.  It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program.    The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education.  The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security.

Embed presentation

Downloaded 111 times
Background  US Army  Russian Cryptography Interceptor ○ 1984 to 1987  Mandarin Chinese Intelligence Officer ○ 1989 to 2001
Sept 11, 2001 World Trade Centers
“Working in security is doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is nothing greater than saving lives.” Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS Certified Protection Professional
Background  Antiterrorism/Force Protection  2001 – US Corps of Engineers  2002 – Operation Enduring Freedom  2003 – Operation Iraqi Freedom  2004 – Security Management Solutions ○ Federal Energy Regulatory Commission ○ Association of State Dam Safety Officials ○ InterAgency Forum for Infrastructure Protection
Post 9/11
A Paradigm Shift
Threat Dimensions 1. Non-linear/Asymmetrical 2. Off-the-shelf technology 3. WMD and mass casualties Low Tech vs. High Tech Urban vs. Rural fights 4. Urban fights 5. Avoid decisive battle W. Foos, SMS
Physical Attacks April 19, 1995 Murrah Federal Aug 7, 1998 Sept 11, 2001 Building US Embassy Nairobi World Trade Centers
Physical Attacks 11 March 2004 Sept 2004 Madrid Train Bombings: Chechnya Rebels Spain
Cyber Attacks  2003-2007 - TITAN RAIN  2006-present - SHADY RAT  2008- DOD Classified and Unclassified Systems-Contaminated thumb drive  2010 - STUXNET  2011 - 50 DAYS OF LULZ
Cyber Attacks 2012  13.37 million recorded compromised  189 total breaches  NY Electric and Gas 1.8m  Global Payments 1.5m  CA Dept. of Child Support 800k  Utah Dept. of Technical Services 780k
W. Foos, SMS
Why is a Security Program so vital?
How does a Security Program Work? A Security Program protects assets or facilities against: 1. Theft 2. Sabotage 3. Malevolent human attacks 4. Natural Events
What does a Security Program Encompass? 1. Physical Security 2. Cyber Security 3. Personnel Security 4. Information Security 5. Business Continuity 6. Crisis Management
Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
Fundamentals of Security Integration Policies People Procedures Equipment An Effective Security Program ties it all together.
Security Program Measures 1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised. 2. Detective measures – Discover the attack and activate corrective or mitigative action. 3. Corrective measures – Reduce the effects of an attack and restore to normal operations. W. Foos, SMS
What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
Step One: Evaluation 1. Mission 2. Assets 3. Consequences 4. Threats 5. Security System Effectiveness
Step One: Evaluation (Mission) 1. What do I buy? 2. What do I sell? 3. How do I produce it? 4. What components do I need to make what I make? 5. What does it take to get those components and deliver the finished product?
How Missions lead to Assets  Company Mission  Company Vision  License Requirements  Shareholder Mandates  Products of the facility  Vendors  Inventory System  Shipping and Receiving  Operational involvement & location of senior executives W. Foos, SMS
Step One: Evaluation (Assets) 1. Physical 2. People 3. Knowledge 4. Information Technology 5. Clientele 6. Any activity that has a positive value to its owner
Step One: Evaluation (Consequences)  What would it take to disrupt operations?  What would it take to stop operations?  What would happen to the vendors, your company, your customers, if operations paused or ceased?  Who and What would be impacted?
Step One: Evaluation (Threat) The Security Program Arch THREAT
Step One: Evaluation (Threat)  Natural  Intentional  Unintentional
W. Foos, SMS
Threat Categories  Terrorists (CONUS  Saboteurs or OCONUS)  Criminals  Ecological  Cyber Threat  Militia / Paramilitary  Gangs  Rogue  Other  Racist  Insider(s)  Extremist Group  Vandals TM RAM
Identifying the Design Basis Threat  Motivation  Capability  History and Behavior Patterns  Current Activity  Geographic Access  Organization & Numbers  Mobility  Technology/ Tactics TM RAM
Design Basis Threat (Example) Adversary Type Militia/Paramilitary Terrorist Group Motivation Ideological/Political/Publicity Group Terrorist Cell - 2 to 7 persons – well organized Tactics Large scale sabotage Equipment Hand tools, construction equipment, 2-way radios Weapons Small handguns, rifles, submachine guns Explosives Vegan Jell-O, TNT or Equivalent Explosives Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot access Intelligence Surveillance, Internet research, public record review gathering means Technical skills and Sophisticated technical education knowledge Financial resources Assumed unlimited Potential for collusion Disgruntled or planted employee or contractor TM RAM
Intelligence Methods used by Adversaries  Open Source Research  FOIA  Internet  Public Domain Technical Reports  People  Informers  Intelligence Agents  Communications  Photographs / Surveillance  Trash W. Foos, SMS
Step One: Evaluation (Security System Effectiveness)  Based on analysis of Asset and Threats, create Asset-Threat Pairing  Not every Asset is considered attractive to the same Threat  Every asset’s protection must be evaluated against its own Design Basis Threat
Basics of Security 1. Detect 2. Assess 3. Delay 4. Respond 5. Integration and Communication
Fundamentals of Security Protection in Depth & Balanced Protection Outer Perimeter Intermediate Perimeter Inner Perimeter Exclusion Zone O Asset
What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
Step Two: Establish 1. Fill in the gaps 2. Create what wasn’t there 3. Accept versus Reject Risk 4. Risk Reduction Measures
Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
Security Policies and Procedures  Establish strategic security objectives and priorities for organization  Identify personnel responsible for security functions  Identify the employee responsibilities  Should be aligned with the objectives of the organization  Should cover the following topics - People - Property - Information
What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
Step Three: Sustain 1. Education 2. Exercises 3. Relationships 4. Reevaluation
Keys to a More Successful Physical Security Program

More Related Content

PPT
Physical Security Assessments
byTom Eston
 
PPT
DHS ICS Security Presentation
byguest85a34f
 
PPT
Best Practices In Corporate Privacy & Information Security
bysatyakam_biswas
 
PPTX
C:\fakepath\security training
bymikeapitre
 
PPTX
Chapter 8
byemmoncata
 
PPTX
Chemistry power point presentation--Nuclear Power
byarchbishopcarroll
 
PPT
Physical security
byFerdinand Camilo Kimura
 
PPSX
Outsource Ace_Corporate Profile
byOutsource Ace IT & ITES Solutions Pvt Ltd
 
Physical Security Assessments
byTom Eston
 
DHS ICS Security Presentation
byguest85a34f
 
Best Practices In Corporate Privacy & Information Security
bysatyakam_biswas
 
C:\fakepath\security training
bymikeapitre
 
Chapter 8
byemmoncata
 
Chemistry power point presentation--Nuclear Power
byarchbishopcarroll
 
Physical security
byFerdinand Camilo Kimura
 
Outsource Ace_Corporate Profile
byOutsource Ace IT & ITES Solutions Pvt Ltd
 

Viewers also liked

PPTX
Physical Security In The Workplace
bydougfarre
 
PPT
Chapter008
byJeanie Delos Arcos
 
PPTX
Computer , Internet and physical security.
byAnkur Kumar
 
PDF
Journal of Physical Security 8(1)
byRoger Johnston
 
PPTX
Physical Security Assessment
byFaheem Ul Hasan
 
PPTX
A ppt on natural disaster and safty risks at nuclear power plant
byMadhusudan Sharma
 
PPT
Physical Security
byKriscila Yumul
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PPTX
Presentation on nuclear reactor on9 10-07
bySant Longowal Institute Of Engineering & Technology, Longowal, Sangrur (Punjab)
 
PPTX
Nuclear fission and fushion (ALIV - Bangladesh)
byMd Abu Jauad Khan Aliv
 
PPT
Physical Security Assessment
byGary Bahadur
 
PPTX
Nuclear hazards
byPawan Kumar Pathak
 
PPTX
Nuclear power plant
bycollege
 
PPTX
Easiest way to understand Nuclear power plants
byphinto
 
PDF
Nuclear Power Plant in Bangladesh
bytanzidshawon
 
PPT
Nuclear Power
byViet NguyenHoang
 
Physical Security In The Workplace
bydougfarre
 
Chapter008
byJeanie Delos Arcos
 
Computer , Internet and physical security.
byAnkur Kumar
 
Journal of Physical Security 8(1)
byRoger Johnston
 
Physical Security Assessment
byFaheem Ul Hasan
 
A ppt on natural disaster and safty risks at nuclear power plant
byMadhusudan Sharma
 
Physical Security
byKriscila Yumul
 
Physical security.ppt
byFaheem Ul Hasan
 
Presentation on nuclear reactor on9 10-07
bySant Longowal Institute Of Engineering & Technology, Longowal, Sangrur (Punjab)
 
Nuclear fission and fushion (ALIV - Bangladesh)
byMd Abu Jauad Khan Aliv
 
Physical Security Assessment
byGary Bahadur
 
Nuclear hazards
byPawan Kumar Pathak
 
Nuclear power plant
bycollege
 
Easiest way to understand Nuclear power plants
byphinto
 
Nuclear Power Plant in Bangladesh
bytanzidshawon
 
Nuclear Power
byViet NguyenHoang
 

More from EnergySec

PDF
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
PDF
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
PDF
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
PPTX
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
PDF
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
PPTX
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
PPTX
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
PDF
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
PDF
Please, Come and Hack my SCADA System!
byEnergySec
 
PDF
Unidirectional Network Architectures
byEnergySec
 
PPTX
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
PDF
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
PPT
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
PDF
Where Cyber Security Meets Operational Value
byEnergySec
 
PPTX
Where Are All The ICS Attacks?
byEnergySec
 
PPT
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
PPT
Industry Reliability and Security Standards Working Together
byEnergySec
 
PPT
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
byEnergySec
 
Slide Griffin - Practical Attacks and Mitigations
byEnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
byEnergySec
 
Jack Whitsitt - Yours, Anecdotally
byEnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
byEnergySec
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
byEnergySec
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
byEnergySec
 
Explore the Implicit Requirements of the NERC CIP RSAWs
byEnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
byEnergySec
 
Please, Come and Hack my SCADA System!
byEnergySec
 
Unidirectional Network Architectures
byEnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
byEnergySec
 
Industrial Technology Trajectory: Running With Scissors
byEnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
byEnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
byEnergySec
 
Where Cyber Security Meets Operational Value
byEnergySec
 
Where Are All The ICS Attacks?
byEnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
byEnergySec
 
Industry Reliability and Security Standards Working Together
byEnergySec
 
What the Department of Defense and Energy Sector Can Learn from Each Other
byEnergySec
 

Recently uploaded

PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PDF
January Patch Tuesday
byIvanti
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PPTX
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PPTX
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
Full course that Prymehat uploads for you
byOhenebaManu1
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
January Patch Tuesday
byIvanti
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
AI_in_Cybersecurity_Insights_Case_Studies.pptx
bywrksmith9
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Full course that Prymehat uploads for you
byOhenebaManu1
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 

Keys to a More Successful Physical Security Program

  • 2.
    Background  US Army  Russian Cryptography Interceptor ○ 1984 to 1987  Mandarin Chinese Intelligence Officer ○ 1989 to 2001
  • 3.
    Sept 11, 2001 WorldTrade Centers
  • 4.
    “Working in securityis doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is nothing greater than saving lives.” Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS Certified Protection Professional
  • 5.
    Background  Antiterrorism/Force Protection  2001 – US Corps of Engineers  2002 – Operation Enduring Freedom  2003 – Operation Iraqi Freedom  2004 – Security Management Solutions ○ Federal Energy Regulatory Commission ○ Association of State Dam Safety Officials ○ InterAgency Forum for Infrastructure Protection
  • 6.
  • 7.
  • 8.
    Threat Dimensions 1. Non-linear/Asymmetrical 2. Off-the-shelf technology 3. WMD and mass casualties Low Tech vs. High Tech Urban vs. Rural fights 4. Urban fights 5. Avoid decisive battle W. Foos, SMS
  • 9.
    Physical Attacks April 19,1995 Murrah Federal Aug 7, 1998 Sept 11, 2001 Building US Embassy Nairobi World Trade Centers
  • 10.
    Physical Attacks 11 March 2004 Sept 2004 Madrid Train Bombings: Chechnya Rebels Spain
  • 11.
    Cyber Attacks  2003-2007- TITAN RAIN  2006-present - SHADY RAT  2008- DOD Classified and Unclassified Systems-Contaminated thumb drive  2010 - STUXNET  2011 - 50 DAYS OF LULZ
  • 12.
    Cyber Attacks 2012 13.37 million recorded compromised  189 total breaches  NY Electric and Gas 1.8m  Global Payments 1.5m  CA Dept. of Child Support 800k  Utah Dept. of Technical Services 780k
  • 13.
  • 15.
    Why is aSecurity Program so vital?
  • 16.
    How does aSecurity Program Work? A Security Program protects assets or facilities against: 1. Theft 2. Sabotage 3. Malevolent human attacks 4. Natural Events
  • 17.
    What does aSecurity Program Encompass? 1. Physical Security 2. Cyber Security 3. Personnel Security 4. Information Security 5. Business Continuity 6. Crisis Management
  • 18.
    Three Components ofa Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
  • 19.
    Fundamentals of Security Integration Policies People Procedures Equipment An Effective Security Program ties it all together.
  • 20.
    Security Program Measures 1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised. 2. Detective measures – Discover the attack and activate corrective or mitigative action. 3. Corrective measures – Reduce the effects of an attack and restore to normal operations. W. Foos, SMS
  • 21.
    What are TheSteps Necessary? 1. Evaluate 2. Establish 3. Sustain
  • 22.
    Step One: Evaluation 1. Mission 2. Assets 3. Consequences 4. Threats 5. Security System Effectiveness
  • 23.
    Step One: Evaluation (Mission) 1. What do I buy? 2. What do I sell? 3. How do I produce it? 4. What components do I need to make what I make? 5. What does it take to get those components and deliver the finished product?
  • 24.
    How Missions leadto Assets  Company Mission  Company Vision  License Requirements  Shareholder Mandates  Products of the facility  Vendors  Inventory System  Shipping and Receiving  Operational involvement & location of senior executives W. Foos, SMS
  • 25.
    Step One: Evaluation (Assets) 1. Physical 2. People 3. Knowledge 4. Information Technology 5. Clientele 6. Any activity that has a positive value to its owner
  • 26.
    Step One: Evaluation (Consequences)  What would it take to disrupt operations?  What would it take to stop operations?  What would happen to the vendors, your company, your customers, if operations paused or ceased?  Who and What would be impacted?
  • 27.
    Step One: Evaluation(Threat) The Security Program Arch THREAT
  • 28.
    Step One: Evaluation(Threat)  Natural  Intentional  Unintentional
  • 29.
  • 30.
    Threat Categories  Terrorists (CONUS  Saboteurs or OCONUS)  Criminals  Ecological  Cyber Threat  Militia / Paramilitary  Gangs  Rogue  Other  Racist  Insider(s)  Extremist Group  Vandals TM RAM
  • 32.
    Identifying the Design BasisThreat  Motivation  Capability  History and Behavior Patterns  Current Activity  Geographic Access  Organization & Numbers  Mobility  Technology/ Tactics TM RAM
  • 33.
    Design Basis Threat (Example) AdversaryType Militia/Paramilitary Terrorist Group Motivation Ideological/Political/Publicity Group Terrorist Cell - 2 to 7 persons – well organized Tactics Large scale sabotage Equipment Hand tools, construction equipment, 2-way radios Weapons Small handguns, rifles, submachine guns Explosives Vegan Jell-O, TNT or Equivalent Explosives Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot access Intelligence Surveillance, Internet research, public record review gathering means Technical skills and Sophisticated technical education knowledge Financial resources Assumed unlimited Potential for collusion Disgruntled or planted employee or contractor TM RAM
  • 34.
    Intelligence Methods usedby Adversaries  Open Source Research  FOIA  Internet  Public Domain Technical Reports  People  Informers  Intelligence Agents  Communications  Photographs / Surveillance  Trash W. Foos, SMS
  • 35.
    Step One: Evaluation(Security System Effectiveness)  Based on analysis of Asset and Threats, create Asset-Threat Pairing  Not every Asset is considered attractive to the same Threat  Every asset’s protection must be evaluated against its own Design Basis Threat
  • 36.
    Basics of Security 1. Detect 2. Assess 3. Delay 4. Respond 5. Integration and Communication
  • 37.
    Fundamentals of Security Protectionin Depth & Balanced Protection Outer Perimeter Intermediate Perimeter Inner Perimeter Exclusion Zone O Asset
  • 38.
    What are TheSteps Necessary? 1. Evaluate 2. Establish 3. Sustain
  • 39.
    Step Two: Establish 1. Fill in the gaps 2. Create what wasn’t there 3. Accept versus Reject Risk 4. Risk Reduction Measures
  • 40.
    Three Components ofa Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
  • 41.
    Security Policies and Procedures  Establish strategic security objectives and priorities for organization  Identify personnel responsible for security functions  Identify the employee responsibilities  Should be aligned with the objectives of the organization  Should cover the following topics - People - Property - Information
  • 42.
    What are TheSteps Necessary? 1. Evaluate 2. Establish 3. Sustain
  • 43.
    Step Three: Sustain 1. Education 2. Exercises 3. Relationships 4. Reevaluation

Editor's Notes

  • #7 L to Right:Dvorshak Dam, Mica Dam, Bonneville Dam
  • #8 How we look at security has changed. How we look at security MUST change. Sometimes it is a conscious effort, sometimes it is a natural shift.
  • #12 TITAN RAINYears: 2003-2007Alleged source: ChinaFallout: In 2004, U.S. federal investigators discovered an ongoing series of attacks penetrating the networks of the departments of Defense, State, Energy, and Homeland Security, as well as those of defense contractors, and downloading terabytes of data. SHADY RATYears: 2006-presentTarget: DozensAlleged source: ChinaFallout: In 2011, McAfee reported the existence of a five-year-old hacking campaign it calls Shady RAT. It works by sending an email to an employee of a targeted organization, who then installs a “Trojan horse” on the computer after clicking an innocuous-looking attachment. The 49 victims include the International Olympic Committee, the United Nations, the Association of Southeast Asian Nations, companies in Japan, Switzerland, Britain, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India, and the governments of United States, Taiwan, South Korea, Vietnam, and Canada. It has been called the biggest cyberattack of all time.STUXNETYear: 2010Alleged source: IsraelFallout: Discovered in June 2010, the Stuxnet worm exploits a vulnerability in Windows to attack Siemens industrial systems, such as those used in nuclear power plants. While systems in several countries, including the United States, were affected, Iran was the worst hit, with over 16,000 computers infected. 50 DAYS OF LULZYear: 2011Alleged source: LulzSecFallout: In the spring and summer of 2011, a group of hackers calling itself LulzSec, associated with the online collective Anonymous, went on a tear, disabling and defacing a series of prominent websites. The group also took down CIA.gov at one point. In its biggest operation, Lulzsec hacked into Sony PlayStation’s website, compromising the personal information of more than a million users.
  • #16 Greeks built a Horse that the Trojans brought into Troy.A 10 year war..the Trojans were very confident…………………..We can become very comfortable with how we manage securityThe Horse was an emblem of Troy…………………………………….The adversary or threat will often mimic or look familiar to usThe Trojans brought the Horse into the city………………………..Our employees are often the carriers for the adversary
  • #18 There is a number of ways to look at the architecture of a Security Program. A security program is ideally a composite of many specific components. In this example, there are both proactive and reactive components.
  • #21 As a security professional, what do you look for when you assess the quality and quantity of a security program? It should be composed of the following measures.
  • #23 The key to a successful evaluation is a comprehensive, methodical and sequential process. Do not ever assume something. As I learned early in my military career.
  • #24 The very beginning of ANY Risk or Vulnerability Assessment should be to clearly understand the organization’s mission. Unless you understand what the organization makes, sells, brokers, etc. you will not have a starting point for identifying what or who is critical to those acts of making, selling, transporting, brokering, etc.
  • #28 This is an obviously homemade graphic that represents the significance of Threat to all other aspects of Security. In the same way that a keystone holds an arch together, our knowledge of the relevant threat holds our Security Program together. Without that knowledge, the Program, like an arch with the keystone removed, collapse.
  • #38 This can represent a physical security perimeter or it can represent a cyber security perimeter. The theory of layered protection and analysis is the same.
  • #40 We have just completely and with much exhaustion, analyzed our security program and system against the paired threat and have established where the gaps and deficiencies are, if any.Step Two begins with the building up of the existing system based on our findings during Step One: Evaluation.A critical part of establishing a viable security program is obtaining management’s decision on what level of risk they are willing to accept and which they are not.The risk they do NOT want to accept is what we take away and then return with measures designed to reduce that risk. To the chagrin of many security professionals, many decision makers base their accept versus reject decisions based on cost versus benefit versus impact.
  • #42 There are certain key points to keep in mind when an organization sets up and institutes security policies and procedures.Always have an objective or mission in mind when drafting SOPsAlways have a single Point of Contact. SomeBODY needs to be held responsible, not a department or branch or division.Ensure the SOPs cover the full spectrum of operations.
  • #44 Once the program has been evaluated, the gaps and deficiencies filled in and flushed out, the last step is Sustaining the program. The best SOP is only as good and valid and pertinent as it is in date. The best SOP is only as good as it is known and understood by the employeesThe best access control system or alarm system is only as good as the personnel responsible for its operation.Get out there and build relationships with the community, Law Enforcement and task ForcesAnd last, Step three is really NOT the last step. Part of effective sustainment is constant reevaluation. Establish a program to regularly and periodically reassess your organization from Mission to Threat to Sustainment. Keep the program dynamic. Keep the people interested, educated and engaged!