SlideShare a Scribd company logo

Benefits of a Truly Wholistic Approach to Security in Government

J
Jenny Waller

Security-in-depth is a key and noble concept. It is often implemented very well within the individual disciplines of information, personnel and physical security. Good practitioners also implement it well across the disciplines to achieve holistic, cost effective and efficient protections of an organisation’s people, information and assets. Achieving effective and efficient security-in-depth is dependent not just on controls within and across the disciplines, but also on the interaction of policy development, risk assessment, planning, incident management, assurance and review. QinetiQ Australia assists its clients to take a wholistic approach to the implementation of security; one which sees security as an entire system with component parts. The approach doesn’t stop at security in depth through controls alone, but sees how those controls and the policies that initiate them are properly informed by environment, risk assessment, incident analysis and assurance review. QinetiQ’s consultants possess backgrounds as Agency Security Advisers, policy writers, risk assessors, system auditors and systems engineers. This knowledge and expertise is harnessed to provide the best possible support and advice to government agencies seeking to be compliant with the Protective Security Policy Framework within a resource-constrained environment.

Government & Nonprofit
1 of 61
Download to read offline
Benefits of a truly wholistic approach to Security in Government Jolyon Keegan, Government Portfolio Lead Vern Amey, Senior Security Risk Consultant Des Sengunlu, Senior Physical Protections Consultant
Outline 2
Outline 3 Introductions Evolution to PSPF Observations Wholistic system Security risk A cyclical approach Benefits Key takeaways Discussion
Our Three Key Presenters 4
Our Three Key Presenters 5 Jolyon Keegan Government Portfolio Lead
Our Three Key Presenters 6 Jolyon Keegan Government Portfolio Lead Vern Amey Senior Security Risk Consultant
Our Three Key Presenters 7 Jolyon Keegan Government Portfolio Lead Vern Amey Senior Security Risk Consultant Des Sengunlu Senior Physical Protections Consultant
Our Background 8
Evolution of PSPF Risk-based Approach Pre 9/11 9
Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Pre 9/11 10
Pre 9/11 Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) 11
Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) Government Agency security less focussed on physical and personnel measures Pre 9/11 12
Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) Government Agency security less focussed on physical and personnel measures General Government security policy Pre 9/11 13
2001 – 2010 14 Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event 2001 – 2010 15 Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual 2001 – 2010 16 Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual So were born the protective security elements of Physical, Personnel and Information security 2001 – 2010 17 Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual So were born the protective security elements of Physical, Personnel and Information security Security risk mitigation strategies became multi-faceted 2001 – 2010 18 Evolution of PSPF Risk-based Approach
2011 19 Evolution of PSPF Risk-based Approach
The threat and risk landscape changes 2011 20 Evolution of PSPF Risk-based Approach
The threat and risk landscape changes Risk associated with cyber intrusion become a major focus 2011 21 Evolution of PSPF Risk-based Approach
The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security 2011 22 Evolution of PSPF Risk-based Approach
The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security The Australian Government completes delivery of a revised security policy in the form of the Protective Security Policy Framework 2011 23 Evolution of PSPF Risk-based Approach
The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security The Australian Government completes delivery of a revised security policy in the form of the Protective Security Policy Framework 2011 24 Agencies are to take a risk-based approach to protective security Evolution of PSPF Risk-based Approach
25 Our Key Observations
26 Our Key Observations Cookie-cutter risk assessments 1.
27 Our Key Observations Shelved risk assessments 2. Cookie-cutter risk assessments 1.
28 Our Key Observations Document present = tick 3. Shelved risk assessments 2. Cookie-cutter risk assessments 1.
29 Our Key Observations Lack of security input to budgets 4. Document present = tick 3. Shelved risk assessments 2. Cookie-cutter risk assessments 1.
30 Our Key Observations Policy development in blissful isolation 5.
31 Our Key Observations Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
32 Our Key Observations Security as an opportunity/enabler, rather than an impost 7. Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
33 Our Key Observations A factor in all of these = risk 8. Security as an opportunity/enabler, rather than an impost 7. Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
Security is a Wholistic System 34
Security is a Wholistic System 35 Policies Physical Controls Budgets Incidents & Investigations Personnel Controls Information Controls Audit, Assurance & Review Plans
Risk as the system driver 36
Risk as the system driver 37 Establish the ‘Agency-specific’ threat context
Risk as the system driver 38 Establish the ‘Agency-specific’ threat context Determine risk tolerance
Risk as the system driver 39 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets
Risk as the system driver 40 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective
Risk as the system driver 41 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
Risk as the system driver 42 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies
Risk as the system driver 43 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies Agree that security risk management is good business sense
Risk as the system driver 44 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies Agree that security risk management is good business sense When it’s all said and done, don’t walk away
Cyclical approach 45
Cyclical approach Security risk assessment/security risk review 46
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Higher planning/higher planning updates 47
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Higher planning/higher planning updates 48 Higher policy/higher policy updates
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Higher planning/higher planning updates 49 Higher policy/higher policy updates
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Higher planning/higher planning updates Higher policy/higher policy updates 50
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Higher policy/higher policy updates 51
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises 52
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Ongoing security risk monitoring Ongoing security risk monitoring Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises Ongoing security risk monitoring 53
Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations PSPF annual assurance Higher planning/higher planning updates Ongoing security risk monitoring Ongoing security risk monitoring Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises Ongoing security risk monitoring 54
Benefits 55 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF
Benefits 56 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF to be responsive to changing environment
Benefits 57 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF to be responsive to changing environment to remain relevant to executive management (risk owners)
Key Takeaways and Discussion 58 The component parts must interact – communication essential
Key Takeaways and Discussion 59 The component parts must interact – communication essential Risk context is crucial – tailoring important
Key Takeaways and Discussion 60 The component parts must interact – communication essential Risk context is crucial – tailoring important Take a cyclical, wholistic approach driven by risk
Benefits of a Truly Wholistic Approach to Security in Government

Recommended

Example 1 Testing PPt
Example 1 Testing PPtExample 1 Testing PPt
Example 1 Testing PPt
Leonardhart
 
Company profile Nov 2015 with the team
Company profile Nov 2015 with the teamCompany profile Nov 2015 with the team
Company profile Nov 2015 with the team
trevorshaff
 
G-Sec Market
G-Sec MarketG-Sec Market
G-Sec Market
Akshay Virkar
 
Government security classifications e learning
Government security classifications e learningGovernment security classifications e learning
Government security classifications e learning
accystanley
 
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
CA. Naman Khanna
 
Government securities market development
Government securities market developmentGovernment securities market development
Government securities market development
Werner Riecke
 
Govt sec markts
Govt sec marktsGovt sec markts
Govt sec markts
Harpriya Chandar
 
Govt. securities market ppt
Govt. securities market pptGovt. securities market ppt
Govt. securities market ppt
Prakyath Palan
 

Recommended

Example 1 Testing PPt
Example 1 Testing PPtExample 1 Testing PPt
Example 1 Testing PPt
Leonardhart
 
Company profile Nov 2015 with the team
Company profile Nov 2015 with the teamCompany profile Nov 2015 with the team
Company profile Nov 2015 with the team
trevorshaff
 
G-Sec Market
G-Sec MarketG-Sec Market
G-Sec Market
Akshay Virkar
 
Government security classifications e learning
Government security classifications e learningGovernment security classifications e learning
Government security classifications e learning
accystanley
 
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
Indian Government Securities Market - Budgetary Deficit | FRBM Act | Monetar...
CA. Naman Khanna
 
Government securities market development
Government securities market developmentGovernment securities market development
Government securities market development
Werner Riecke
 
Govt sec markts
Govt sec marktsGovt sec markts
Govt sec markts
Harpriya Chandar
 
Govt. securities market ppt
Govt. securities market pptGovt. securities market ppt
Govt. securities market ppt
Prakyath Palan
 
Bonds ppt
Bonds pptBonds ppt
Bonds ppt
bindeshwari
 
RBI GSec Auction Process
RBI GSec Auction ProcessRBI GSec Auction Process
RBI GSec Auction Process
Abhijeet Deshmukh
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
Michael Smith
 
Government Securities - Classification and Valuation
Government Securities - Classification and ValuationGovernment Securities - Classification and Valuation
Government Securities - Classification and Valuation
Abhijeet Deshmukh
 
Attitude of investors towards post office savings
Attitude of investors towards post office savingsAttitude of investors towards post office savings
Attitude of investors towards post office savings
Nithya Ravi
 
Valuation of bonds and debentures
Valuation of bonds and debenturesValuation of bonds and debentures
Valuation of bonds and debentures
Bhargavi Bhanu
 
Type of debt security
Type of debt securityType of debt security
Type of debt security
Lalji Patel
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
Vishwadeep Badgujar
 
project report on different post office saving schemes
project report on different post office saving schemesproject report on different post office saving schemes
project report on different post office saving schemes
Prakhar Mittal
 
A.loans & advances
A.loans & advancesA.loans & advances
A.loans & advances
Ronak Karanpuria
 
Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)
Neetu Ps
 
Bonds and Debentures
Bonds and DebenturesBonds and Debentures
Bonds and Debentures
Rohan Negi
 
Auction presentation
Auction presentationAuction presentation
Auction presentation
techmodi_India
 
Titas Global Ltd
Titas Global LtdTitas Global Ltd
Titas Global Ltd
Andrew Newcombe
 
Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...
Altius IT
 
Guidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorismGuidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorism
Eddie Hirst MSc MSyl
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
Wesley Moore
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
 
Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...
Altius IT
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is all
PECB
 

More Related Content

Viewers also liked

Bonds ppt
Bonds pptBonds ppt
Bonds ppt
bindeshwari
 
RBI GSec Auction Process
RBI GSec Auction ProcessRBI GSec Auction Process
RBI GSec Auction Process
Abhijeet Deshmukh
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
Michael Smith
 
Government Securities - Classification and Valuation
Government Securities - Classification and ValuationGovernment Securities - Classification and Valuation
Government Securities - Classification and Valuation
Abhijeet Deshmukh
 
Attitude of investors towards post office savings
Attitude of investors towards post office savingsAttitude of investors towards post office savings
Attitude of investors towards post office savings
Nithya Ravi
 
Valuation of bonds and debentures
Valuation of bonds and debenturesValuation of bonds and debentures
Valuation of bonds and debentures
Bhargavi Bhanu
 
Type of debt security
Type of debt securityType of debt security
Type of debt security
Lalji Patel
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
Vishwadeep Badgujar
 
project report on different post office saving schemes
project report on different post office saving schemesproject report on different post office saving schemes
project report on different post office saving schemes
Prakhar Mittal
 
A.loans & advances
A.loans & advancesA.loans & advances
A.loans & advances
Ronak Karanpuria
 
Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)
Neetu Ps
 
Bonds and Debentures
Bonds and DebenturesBonds and Debentures
Bonds and Debentures
Rohan Negi
 
Auction presentation
Auction presentationAuction presentation
Auction presentation
techmodi_India
 

Viewers also liked (13)

Bonds ppt
Bonds pptBonds ppt
Bonds ppt
 
RBI GSec Auction Process
RBI GSec Auction ProcessRBI GSec Auction Process
RBI GSec Auction Process
 
Why Care About Government Security
Why Care About Government SecurityWhy Care About Government Security
Why Care About Government Security
 
Government Securities - Classification and Valuation
Government Securities - Classification and ValuationGovernment Securities - Classification and Valuation
Government Securities - Classification and Valuation
 
Attitude of investors towards post office savings
Attitude of investors towards post office savingsAttitude of investors towards post office savings
Attitude of investors towards post office savings
 
Valuation of bonds and debentures
Valuation of bonds and debenturesValuation of bonds and debentures
Valuation of bonds and debentures
 
Type of debt security
Type of debt securityType of debt security
Type of debt security
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
 
project report on different post office saving schemes
project report on different post office saving schemesproject report on different post office saving schemes
project report on different post office saving schemes
 
A.loans & advances
A.loans & advancesA.loans & advances
A.loans & advances
 
Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)Post office(SB, FD, RD, Insurance schemes)
Post office(SB, FD, RD, Insurance schemes)
 
Bonds and Debentures
Bonds and DebenturesBonds and Debentures
Bonds and Debentures
 
Auction presentation
Auction presentationAuction presentation
Auction presentation
 

Similar to Benefits of a Truly Wholistic Approach to Security in Government

Titas Global Ltd
Titas Global LtdTitas Global Ltd
Titas Global Ltd
Andrew Newcombe
 
Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...
Altius IT
 
Guidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorismGuidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorism
Eddie Hirst MSc MSyl
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
Christopher OPARAUGO, MBA, CGEIT, CISM, CRISC
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
Wesley Moore
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
 
Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...
Altius IT
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is all
PECB
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
Shan Sokhanvar (CISM, AWS-SAP, PMP, MCTS)
 
Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0
stevemeltzer
 
FERMA presentation at the IIA Belgium Conference
FERMA presentation at the IIA Belgium ConferenceFERMA presentation at the IIA Belgium Conference
FERMA presentation at the IIA Belgium Conference
FERMA
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
theonassiokas
 
Risk Pooling In Health Care Finance
Risk Pooling In Health Care FinanceRisk Pooling In Health Care Finance
Risk Pooling In Health Care Finance
Lindsey Rivera
 
Risk Management in Supply chain management
Risk Management in Supply chain managementRisk Management in Supply chain management
Risk Management in Supply chain management
Nishikant Rajeshirke
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB
 
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdfP4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
KnowledgeDevourer
 
Safety Officer role and responsibilkities .pptx
Safety Officer role and responsibilkities .pptxSafety Officer role and responsibilkities .pptx
Safety Officer role and responsibilkities .pptx
HrkHrk1
 

Similar to Benefits of a Truly Wholistic Approach to Security in Government (20)

Titas Global Ltd
Titas Global LtdTitas Global Ltd
Titas Global Ltd
 
Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...Enhancing organizational security a comprehensive approach to information sec...
Enhancing organizational security a comprehensive approach to information sec...
 
Guidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorismGuidance for enhancing security posture #counter #terrorism
Guidance for enhancing security posture #counter #terrorism
 
MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1MAPPING_ISO27001_TO_COBIT4.1
MAPPING_ISO27001_TO_COBIT4.1
 
Information Security Risk Management Overview
Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management Overview
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...Fortifying Your Organization Crafting an Effective Information Security Polic...
Fortifying Your Organization Crafting an Effective Information Security Polic...
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is all
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
 
Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0Massachusetts data privacy rules v6.0
Massachusetts data privacy rules v6.0
 
FERMA presentation at the IIA Belgium Conference
FERMA presentation at the IIA Belgium ConferenceFERMA presentation at the IIA Belgium Conference
FERMA presentation at the IIA Belgium Conference
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
 
Risk Pooling In Health Care Finance
Risk Pooling In Health Care FinanceRisk Pooling In Health Care Finance
Risk Pooling In Health Care Finance
 
Risk Management in Supply chain management
Risk Management in Supply chain managementRisk Management in Supply chain management
Risk Management in Supply chain management
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organizationPECB Webinar: ISO 31000 – Risk Management and how it can help an organization
PECB Webinar: ISO 31000 – Risk Management and how it can help an organization
 
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdfP4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
P4I_Capacity Building Workshop 4_Deep Dive into TCFD_v1.0.pdf
 
Safety Officer role and responsibilkities .pptx
Safety Officer role and responsibilkities .pptxSafety Officer role and responsibilkities .pptx
Safety Officer role and responsibilkities .pptx
 

Recently uploaded

Indira awas yojana housing scheme renamed as PMAY
Indira awas yojana housing scheme renamed as PMAYIndira awas yojana housing scheme renamed as PMAY
Indira awas yojana housing scheme renamed as PMAY
narinav14
 
Spending in the 340B Drug Pricing Program, 2010 to 2021
Spending in the 340B Drug Pricing Program, 2010 to 2021Spending in the 340B Drug Pricing Program, 2010 to 2021
Spending in the 340B Drug Pricing Program, 2010 to 2021
Congressional Budget Office
 
CBO's Immigration Projections - Presentation
CBO's Immigration Projections - PresentationCBO's Immigration Projections - Presentation
CBO's Immigration Projections - Presentation
Congressional Budget Office
 
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
odmqk
 
2024: The FAR - Federal Acquisition Regulations, Part 41
2024: The FAR - Federal Acquisition Regulations, Part 412024: The FAR - Federal Acquisition Regulations, Part 41
2024: The FAR - Federal Acquisition Regulations, Part 41
JSchaus & Associates
 
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdfLecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
tshree896
 
karnataka housing board schemes . all schemes
karnataka housing board schemes . all schemeskarnataka housing board schemes . all schemes
karnataka housing board schemes . all schemes
narinav14
 
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
Scribe
 
Bharat Mata - History of Indian culture.pdf
Bharat Mata - History of Indian culture.pdfBharat Mata - History of Indian culture.pdf
Bharat Mata - History of Indian culture.pdf
Bharat Mata
 
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdfGUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
ProexportColombia1
 
How To Cultivate Community Affinity Throughout The Generosity Journey
How To Cultivate Community Affinity Throughout The Generosity JourneyHow To Cultivate Community Affinity Throughout The Generosity Journey
How To Cultivate Community Affinity Throughout The Generosity Journey
Aggregage
 
Health Insurance Coverage for the U.S. Population, 2024 to 2034
Health Insurance Coverage for the U.S. Population, 2024 to 2034Health Insurance Coverage for the U.S. Population, 2024 to 2034
Health Insurance Coverage for the U.S. Population, 2024 to 2034
Congressional Budget Office
 
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRISTTRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
Cheong Man Keong
 
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
afsebu
 
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
vfefek
 
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
zvpwjpty
 
G7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdfG7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdf
Energy for One World
 
ColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomicsColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomics
JuanFelipeHerrera4
 
Milton Keynes Hospital Charity - A guide to leaving a gift in your Will
Milton Keynes Hospital Charity - A guide to leaving a gift in your WillMilton Keynes Hospital Charity - A guide to leaving a gift in your Will
Milton Keynes Hospital Charity - A guide to leaving a gift in your Will
fundraising4
 
History Of Balochistan amazing .pptx / HOB
History Of Balochistan amazing .pptx / HOBHistory Of Balochistan amazing .pptx / HOB
History Of Balochistan amazing .pptx / HOB
uzma baloch
 

Recently uploaded (20)

Indira awas yojana housing scheme renamed as PMAY
Indira awas yojana housing scheme renamed as PMAYIndira awas yojana housing scheme renamed as PMAY
Indira awas yojana housing scheme renamed as PMAY
 
Spending in the 340B Drug Pricing Program, 2010 to 2021
Spending in the 340B Drug Pricing Program, 2010 to 2021Spending in the 340B Drug Pricing Program, 2010 to 2021
Spending in the 340B Drug Pricing Program, 2010 to 2021
 
CBO's Immigration Projections - Presentation
CBO's Immigration Projections - PresentationCBO's Immigration Projections - Presentation
CBO's Immigration Projections - Presentation
 
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
一比一原版(theauckland毕业证书)新西兰奥克兰大学毕业证成绩单如何办理
 
2024: The FAR - Federal Acquisition Regulations, Part 41
2024: The FAR - Federal Acquisition Regulations, Part 412024: The FAR - Federal Acquisition Regulations, Part 41
2024: The FAR - Federal Acquisition Regulations, Part 41
 
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdfLecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
Lecture 7 Module VII Agriculture Insurance - Support Services (2).pdf
 
karnataka housing board schemes . all schemes
karnataka housing board schemes . all schemeskarnataka housing board schemes . all schemes
karnataka housing board schemes . all schemes
 
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
The Power of Community Newsletters: A Case Study from Wolverton and Greenleys...
 
Bharat Mata - History of Indian culture.pdf
Bharat Mata - History of Indian culture.pdfBharat Mata - History of Indian culture.pdf
Bharat Mata - History of Indian culture.pdf
 
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdfGUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
GUIA_LEGAL_CHAPTER_6_IMMIGRATION_REGIME.pdf
 
How To Cultivate Community Affinity Throughout The Generosity Journey
How To Cultivate Community Affinity Throughout The Generosity JourneyHow To Cultivate Community Affinity Throughout The Generosity Journey
How To Cultivate Community Affinity Throughout The Generosity Journey
 
Health Insurance Coverage for the U.S. Population, 2024 to 2034
Health Insurance Coverage for the U.S. Population, 2024 to 2034Health Insurance Coverage for the U.S. Population, 2024 to 2034
Health Insurance Coverage for the U.S. Population, 2024 to 2034
 
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRISTTRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
TRUE BOOK OF LIFE 1.15 OF TRUE JESUS CHRIST
 
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
一比一原版英国阿伯丁大学毕业证(AU毕业证书)学历如何办理
 
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
一比一原版(uoit毕业证书)加拿大安大略理工大学毕业证如何办理
 
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
在线制作(umich毕业证书)美国密歇根大学毕业证学位证书原版一模一样
 
G7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdfG7 Apulia Leaders Communique, June 2024 (1).pdf
G7 Apulia Leaders Communique, June 2024 (1).pdf
 
ColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomicsColombiaPresentation.pptx macroeconomics
ColombiaPresentation.pptx macroeconomics
 
Milton Keynes Hospital Charity - A guide to leaving a gift in your Will
Milton Keynes Hospital Charity - A guide to leaving a gift in your WillMilton Keynes Hospital Charity - A guide to leaving a gift in your Will
Milton Keynes Hospital Charity - A guide to leaving a gift in your Will
 
History Of Balochistan amazing .pptx / HOB
History Of Balochistan amazing .pptx / HOBHistory Of Balochistan amazing .pptx / HOB
History Of Balochistan amazing .pptx / HOB
 

Benefits of a Truly Wholistic Approach to Security in Government

  • 1. Benefits of a truly wholistic approach to Security in Government Jolyon Keegan, Government Portfolio Lead Vern Amey, Senior Security Risk Consultant Des Sengunlu, Senior Physical Protections Consultant
  • 3. Outline 3 Introductions Evolution to PSPF Observations Wholistic system Security risk A cyclical approach Benefits Key takeaways Discussion
  • 4. Our Three Key Presenters 4
  • 5. Our Three Key Presenters 5 Jolyon Keegan Government Portfolio Lead
  • 6. Our Three Key Presenters 6 Jolyon Keegan Government Portfolio Lead Vern Amey Senior Security Risk Consultant
  • 7. Our Three Key Presenters 7 Jolyon Keegan Government Portfolio Lead Vern Amey Senior Security Risk Consultant Des Sengunlu Senior Physical Protections Consultant
  • 9. Evolution of PSPF Risk-based Approach Pre 9/11 9
  • 10. Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Pre 9/11 10
  • 11. Pre 9/11 Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) 11
  • 12. Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) Government Agency security less focussed on physical and personnel measures Pre 9/11 12
  • 13. Evolution of PSPF Risk-based Approach Focus on risks associated with foreign espionage Protection of Australian Government information (aimed more at the higher classification levels – primarily hard copy) Government Agency security less focussed on physical and personnel measures General Government security policy Pre 9/11 13
  • 14. 2001 – 2010 14 Evolution of PSPF Risk-based Approach
  • 15. Security risk focus broadened to include risks associated with protection against a high-impact event 2001 – 2010 15 Evolution of PSPF Risk-based Approach
  • 16. Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual 2001 – 2010 16 Evolution of PSPF Risk-based Approach
  • 17. Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual So were born the protective security elements of Physical, Personnel and Information security 2001 – 2010 17 Evolution of PSPF Risk-based Approach
  • 18. Security risk focus broadened to include risks associated with protection against a high-impact event Australian Government security policy became the Protective Security Manual So were born the protective security elements of Physical, Personnel and Information security Security risk mitigation strategies became multi-faceted 2001 – 2010 18 Evolution of PSPF Risk-based Approach
  • 19. 2011 19 Evolution of PSPF Risk-based Approach
  • 20. The threat and risk landscape changes 2011 20 Evolution of PSPF Risk-based Approach
  • 21. The threat and risk landscape changes Risk associated with cyber intrusion become a major focus 2011 21 Evolution of PSPF Risk-based Approach
  • 22. The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security 2011 22 Evolution of PSPF Risk-based Approach
  • 23. The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security The Australian Government completes delivery of a revised security policy in the form of the Protective Security Policy Framework 2011 23 Evolution of PSPF Risk-based Approach
  • 24. The threat and risk landscape changes Risk associated with cyber intrusion become a major focus Security risk again heavily focussed on Information Security The Australian Government completes delivery of a revised security policy in the form of the Protective Security Policy Framework 2011 24 Agencies are to take a risk-based approach to protective security Evolution of PSPF Risk-based Approach
  • 25. 25 Our Key Observations
  • 26. 26 Our Key Observations Cookie-cutter risk assessments 1.
  • 27. 27 Our Key Observations Shelved risk assessments 2. Cookie-cutter risk assessments 1.
  • 28. 28 Our Key Observations Document present = tick 3. Shelved risk assessments 2. Cookie-cutter risk assessments 1.
  • 29. 29 Our Key Observations Lack of security input to budgets 4. Document present = tick 3. Shelved risk assessments 2. Cookie-cutter risk assessments 1.
  • 30. 30 Our Key Observations Policy development in blissful isolation 5.
  • 31. 31 Our Key Observations Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
  • 32. 32 Our Key Observations Security as an opportunity/enabler, rather than an impost 7. Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
  • 33. 33 Our Key Observations A factor in all of these = risk 8. Security as an opportunity/enabler, rather than an impost 7. Security-in-depth overkill or controls mismatch 6. Policy development in blissful isolation 5.
  • 34. Security is a Wholistic System 34
  • 35. Security is a Wholistic System 35 Policies Physical Controls Budgets Incidents & Investigations Personnel Controls Information Controls Audit, Assurance & Review Plans
  • 36. Risk as the system driver 36
  • 37. Risk as the system driver 37 Establish the ‘Agency-specific’ threat context
  • 38. Risk as the system driver 38 Establish the ‘Agency-specific’ threat context Determine risk tolerance
  • 39. Risk as the system driver 39 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets
  • 40. Risk as the system driver 40 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective
  • 41. Risk as the system driver 41 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
  • 42. Risk as the system driver 42 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies
  • 43. Risk as the system driver 43 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies Agree that security risk management is good business sense
  • 44. Risk as the system driver 44 Establish the ‘Agency-specific’ threat context Determine risk tolerance Identify criticality of assets Assess what the agency is doing right and what is missing from a protective security perspective Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes Define the pathway to developing wholistic security risk treatment strategies Agree that security risk management is good business sense When it’s all said and done, don’t walk away
  • 46. Cyclical approach Security risk assessment/security risk review 46
  • 47. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Higher planning/higher planning updates 47
  • 48. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Higher planning/higher planning updates 48 Higher policy/higher policy updates
  • 49. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Higher planning/higher planning updates 49 Higher policy/higher policy updates
  • 50. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Higher planning/higher planning updates Higher policy/higher policy updates 50
  • 51. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Higher policy/higher policy updates 51
  • 52. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises 52
  • 53. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations Higher planning/higher planning updates Ongoing security risk monitoring Ongoing security risk monitoring Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises Ongoing security risk monitoring 53
  • 54. Cyclical approach Security risk assessment/security risk review Initial planning/planning updates Policy development/ policy review Implementation planning Implementation Operations PSPF annual assurance Higher planning/higher planning updates Ongoing security risk monitoring Ongoing security risk monitoring Higher policy/higher policy updates Investigations Targeted reviews and audits Incident data analysis Projects/validation exercises Ongoing security risk monitoring 54
  • 55. Benefits 55 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF
  • 56. Benefits 56 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF to be responsive to changing environment
  • 57. Benefits 57 Helps protective security in an organisation: align with the risk-based approach intent of the PSPF to be responsive to changing environment to remain relevant to executive management (risk owners)
  • 58. Key Takeaways and Discussion 58 The component parts must interact – communication essential
  • 59. Key Takeaways and Discussion 59 The component parts must interact – communication essential Risk context is crucial – tailoring important
  • 60. Key Takeaways and Discussion 60 The component parts must interact – communication essential Risk context is crucial – tailoring important Take a cyclical, wholistic approach driven by risk