Enterprise Security Risk Assessment

Report
ENTERPRISE SECURITY RISK MANAGEMENT
SECURITY AND THE ISO31000 STANDARD?
Julian Talbot
Jakeman Business Solutions Pty Ltd
ISO 31000 Conference
21-22 May 2012
G31000 the Global Risk Management Platform
Once upon a time…
4360
F ear
(1995)
31000
31000
U ncertainty
D oubt
AS/NZS
4360
Pre-4360
Integrated
RM
ISO31000
• Principles
• Framework
• Process
Establish the Context
Risk Assessment
Risk Identification
Communication
and
Consultation
Risk Analysis
Risk Evaluation
Risk Treatment
Monitoring
and
Review
Why ISO31000 works for Security?
Why ISO31000 works for Security?
• ‘Apples for apples’comparison:
–
–
–
–
–
taxonomy (eg: likelihood and consequence)
risk assessments by different assessors
Longitudinally
between divisions or other organisations
against environmental, safety, financial risks
• Better decisions and allocation of resources
• Permission to add value
• Ability to integrate methodologies
Establish the Context
Risk Assessment
Risk Identification
Communication
and
Consultation
Risk Analysis
Risk Evaluation
Risk Treatment
Monitoring
and
Review
Threat Assessment
Assessment
Vulnerability
Assessment INTERNAL / EXTERNAL ENVIRONMENT Vulnerability
Criticality Assessment
Opportunity
Threat Actor
Targetability
Attributes
Threat Assessment
ISO31000
Threat Actor
Attributes
Effectiveness
Hazard
Targetability
Vulnerability Assessment
Attributes
Threat Actor
Motivation
Threat Actor
Motivation
Criticality
Hazard
Attributes
Targetability
H
At
Asset Attributes
Criticality Assessment
Asset Attributes
Establish
Establish
Security Criteria
Context
Likelihood
/Probability
Resources
Exposure
(Duration)
Establish Security Criteria
Resources
Knowledge
Desire
Knowledge
Accessibility
(of target)
Attractive
Confidence
Desire
ness
Confidence
Exposure
(Duration)
Suitability
Capability
Exposure
Suitability
(Duration)
Accessibility
Attractive
(of target)
ness
Availability
Deployability
Intent
Consequence
Rec
Accessibility
Availability
Deployability
('Shock')
uperability
(ofRec
target)
Temporal
Temporal
Qualities
Suitability
Av
Dependence
Qualities
uperability
Dependence
Vulnerability
Risk Rating
Identify Risks
Document 'Risk Statement'
Capability
Intent
Threat
(Intel based)
Opportunity
Vulnerability
Effectiveness
Criticality
Risk Prioritisation
Assess Existing Controls
Document 'Risk Statement'
Analyse Risks
Likelihood
/Probability
Threat
(Intel based)
Assess Existing Controls
Effectiveness
Avoid
the Risk
Change
Likelihood
Eliminate the risk
Change
Consequence
Likelihood
/Probability
Substitute the risk
ks
Isolate the asset
Treat
Risks
Opportunity
Treatment Options
Opportunity
Evaluate Risks
Consequence
('Shock')
Engineering controls
Avoid
the Risk
Criticality
Risk Rating
Share
Risk Prioritisation
the Risk
Treatment Options
Change
Likelihood
Eliminate the risk
Consequence
('Shock')
Change
Consequence
Substitute the risk
Isolate the asset
Residual Risk
Personal Protective Equip.
Retain
the Risk
Risk Treatment
ESIEAP
(in order of
preference)
ESIEAP
Administrative controls
Personal Protective Equip.
Residual Risk
Share
the Risk
(in order of
Risk Rating
preference)
Administrative controls
Engineering controls
Risk Rating
Risk Treatment
Retain
the Risk
Monitor and Review
ks
Communicate and Consult
Vulnerability
Effec
Enterprises…
•
•
•
•
•
Julian Talbot (ASIS 2009)
$30 billion budget
120,000 people
8,000 facilities
41 Risk Criteria
15 Divisions
www.riskebooks.com
8
Australian Trade Commission (Austrade)
•
•
•
•
Assists Australian businesses to export
1,400 staff in 60 countries
120 offices including 22 Consular posts
$400 million annual budget
Understanding the risks
• Official sources including
– Department of Foreign Affairs & Trade (DFAT)
– National Threat Assessment Centre (NTAC)
• Open source and commercial providers
• Internal capability
– Austrade posts and officers
– Austrade Security Team
• Security Risk Assessments
• Incident reporting
Terrorism
Source: Nationmaster.com
Assault
Source: Nationmaster.com
Fraud
Source: Nationmaster.com
INTERNAL / EXTERNAL ENVIRONMENT
Threat Assessment
ISO31000
Threat Actor
Attributes
Establish
Context
Vulnerability Assessment
Threat Actor
Motivation
Criticality Assessment
Hazard
Attributes
Targetability
Asset Attributes
Establish Security Criteria
Resources
Knowledge
Desire
Capability
Confidence
Attractive
ness
Exposure
(Duration)
Accessibility
(of target)
Suitability
Intent
Availability
Deployability
Rec
uperability
Temporal
Qualities
Dependence
Vulnerability
Identify Risks
Document 'Risk Statement'
Effectiveness
Criticality
Assess Existing Controls
Likelihood
/Probability
Consequence
('Shock')
Analyse Risks
Risk Rating
Risk Prioritisation
Evaluate Risks
Treatment Options
Avoid
the Risk
Change
Likelihood
Change
Consequence
Share
the Risk
Retain
the Risk
Risk Treatment
Eliminate the risk
Treat
Risks
Substitute the risk
Isolate the asset
ESIEAP
(in order of
preference)
Engineering controls
Administrative controls
Personal Protective Equip.
Residual Risk
Monitor and Review
Opportunity
Communicate and Consult
Threat
(Intel based)
Enterprise Security Risk Assessment (ESRA)
• Defensible, systematic and robust basis for
decision making and planning
• Provide senior management with an
assessment of current and emerging risks
• Inform the development and application of
ongoing budgets and security measures
Enterprise Security Risk Assessment (ESRA)
• Whole of organisation/enterprise
• Inform budget and systems planning
• Known & emerging threats to the ‘business’
– Not location, activity or function specific
• ‘Enterprise Security Standards’
– Based on location, activities and functions
Enterprise Security Standards
THREAT LEVELS
1
2
3
4
5
S
M
M
M
M-Crypt
IMG
S
M
M
M-Crypt
PMV
S
M
M
M-Crypt
M
S2
S
S
S
M
M
M
M
M-Crypt
M-Crypt
M-Crypt
2343-R1
2343-R1
2343-R1
S
M10
M10
M10
M10
2343-R2
2343-R2
2343-R2
M
M11
M11
M11
M11
2343-R2
2343-R2
2343-R2
2343-G0
M12
M11
M11
M12
VC
Intruder Alarm System
Esp.
Window Treatments
Locks
VC
IMG
PMV
Esp.
VC
IMG
PMV
Esp.
S
S1
M
M
M
M
10 Pick-resistant hardened
11 Pick-resistant hardened, controlled profile
12 Pick-resistant hardened, restricted profile, organisation-endorsed
Results…
• Austrade:
– 5 year $60 million security plan
– Robust, well documented analysis
– Business case - AUD$18.4 billion exports with
Austrade assistance (vs $12M p.a. on security)
• Defence
– 5 year $300 million security plan
– Included - $120 million existing treatments
• Finance
– 3 year $2 million security plan
– Proportional - to the agency
Last points…
1.
2.
3.
4.
5.
6.
7.
8.
9.
All SR Managers
Something free?
Business card?
Been robbed?
Been a robber?
Illegal drugs?
Been to Africa?
Papua New Guinea?
Motorcycle license?
Last points…
1.
2.
3.
4.
5.
6.
7.
8.
9.
All SR Managers
Be prepared
Time critical
Emotional decisions
Red teaming
15% of the economy
It’s personal!
Big risk taker!
HUGE risk taker!
THANK YOU
Contact me at:
[email protected]
Download this presentation from:
www.jakeman.com.au

similar documents