Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Security Risk Management

No description
by

Paul Johnson

on 15 May 2018

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Security Risk Management

Security Risk Management
Security
services ensure that human and system resources are protected from internal and external
threats
.
Security can be broken into
three
primary domains

Physical Security
Identify, develop, implement, maintain
security across the organization’s
physical elements
Defend information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction
Information Security

Cyber Security
Manage actions that discover, eliminate, prevent, mitigate risk or report on cyber threats, vulnerability or attacks
What it is...
Security Risk Management
Process to Identify, Assess, Mitigate and Monitor security risk.
Identification
- establish or indicate what a risk is
Assessment
- evaluate the nature of someone or something
Mitigation
- accept, avoid, limit or transfer risk
Monitoring
- observe and
report
Facilities
Personnel
Systems
Documents
Media
Video
Audio
Hardware
Software
Networks
Data
Each of the three security domains or 'services' represent a body of work that is provided

through it's
Structure
Content
Data
Workflow
Accessibility
'Work' may exist in a physical or digital sense. Some elements may exist -
mirrored in both.
Security Risk Manager
The role of the Risk Manager is to
manage
both the
physical
and
digital
elements of security.
This includes the structure, content, data, accessibility, and workflow associated with all aspects of each business service.
Manage
personnel
access and permissions
enable personnel to obtain security clearances
adjudicate issues with clearance or accessibility
maintain personnel awareness

Human Resources
All facets of
human resources
should be managed with a solution to
optimize
your
security risk management.
Manage system acquisition, inventory, and monitoring both virtually and physically
Control access and egress to facilities, systems and sites
Report on actions that impact company's system security posture
Categorize assets through Inventory analysis

System Resources
Continuous awareness of
asset
inventory under
risk
mitigation.
Strategic initiatives, business development and opportunities must take into consideration all security risks
Enable long and short term security risk management strategy
Mitigation strategies for risk limitation, avoidance, acceptance or transfer
Business continuity planning

Strategy
Risk management strategy
is critical at all levels within an
organization.
Accounting, banking, sales, investments, and profit sharing all have elements of security risk
Control custody of financial assets with defined risk from source to end
Monitor financial assets for cyber criminal intrusions and attacks

Finance
Control access
to financial assets through defined
roles
and

multi-tiered
permissions.
Risks are associated with business execution, emergency management and business relationships
Maintain company documents and records at risk
Proper Storage and Handling
Digital (electronic)
Physical (hard copy)
Administration
All information that makes up the organization and its systems can be
managed
with
proper

controls
through
record management
.
Security liaison enables interaction with internal and external entities concerning security content, information, personnel, accessibility and reporting.
Internal & external collaboration and participation in compliance
Public affairs and affiliations monitored for security risk

Communication
Real-time
collaboration
and
interaction
with all
personnel
is a critical feature for a Security
Risk Manager
.
From project planning to execution
Control access to ensure minimal risk to proprietary information
Segregate projects with limited access to personnel with proper NDA
Standardize security risk reporting, terms and measurements.
Project Management
Each project needs
continuous

awareness
of
risk
to personnel and system assets used.
Policy, environment, legal, safety, contract management

create, modify, update policy for security related compliance efforts
educate to ensure compliance
enforce security policy across all organizational services

Compliance
Enable the
workflow
to ensure the security professional is in the 'loop' on all
security policy
.

Veteran-Owned Small Business providing services and solutions to Federal, State and
Commercial
clients.
Virginia-based small business with virtual access to the world
We have been in business for almost 10 years
Clients range from United States Army, Navy, Air Force and Marines to private sector Commercial companies
We deliver measurable value from a variety of innovative consulting solutions with a focus on enterprise sustainability
Our competent workforce consists of seasoned professionals with the right backgrounds that you can trust
Paul W. Johnson

President
Office: 757-250-2120
Mobile: 757-270-1770
paul.johnson@pragmatica-innovations.com

Risk is pervasive in all elements of life and in business.
How you manage
Risk
begins with an understanding of it.

Risk
- uncertainty of financial loss or the probability that a loss has occurred or will occur.
Primary Risk Divisions
Human Assets
(employees, contractors, outsourced, etc)
Any person or group that the company is financially bound to and legally responsible for their security

System Assets
(real property, leased, owned, facilities, etc)
Any system or group of systems that the company is financially bound to and legally responsible for its security.

Risk Elements
Physical
– tangible objects
- examples include
Building
Equipment
Supplies
People

Digital
– intangible objects
- examples include
Information
Trade Secrets
Patents
Copyrights
Web Site

Identification
Human
Asset
Physical?
Assessment
Threat
- anything that could adversely affect the enterprise
Vulnerability
- capable of or susceptible to being damaged through some intentional or unintentional dysfunction
Mitigation
Transfer
- move risk from one place to another
Avoid
- keep away from or stop from doing something
Limit
- restrict the size or amount of something permissible
Accept
- recognize something as valid and work within the its boundaries
Monitoring
Observe
- notice or perceive something and register it as being significant
Orient
- align something relative to a specified criteria
Severity
Minor
: Vulnerability requires significant resources to exploit, with little potential for loss.
Moderate
: Vulnerability requires minimal resources to exploit, with moderate potential for loss.
High
: Vulnerability requires few resources to exploit, with significant potential for loss.

Exposure

Minor
: Effects of vulnerability tightly contained. Does not increase probability of additional vulnerabilities being exploited.
Moderate
: Vulnerability affects more than one component. Exploitation increases probability of additional vulnerabilities being exploited.
High
: Vulnerability affects a majority of components. Exploitation significantly increases probability of additional vulnerabilities being exploited.
Structure
Structure refers to physical folders and virtual folder location, naming conventions and relationships.
Structure is the “library system” of organizing content.
Content
Content exists as physical media (paper) and digital media (audio, video, and documents) that are organized and ordered by the structure.
Individual content is the artifact that contains information in the form of specific data.
Some enhanced solutions may balance both physical and digital content so that electronic versions of physical artifacts are named the same, located in the same structure and contain the same data.
Data
Data exists as foundational instances of information within content.
Data must be protected by access to its associated content.
Data matures in a manner that is similar to structure - it begins as a concept and eventually manifests as a physical object.
Accessibility
Accessibility refers to the security and permissions structured to access the physical and virtual content, workflow or data.
Physical access describes the real world of facilities, rooms, cabinets and their associated locks, badges, and associated access protocols to files and electronic equipment.
Digital accessibility describes the cybersecurity considerations that ensure specific personnel have specific permissions to interact with specific content.
Workflow
Workflow refers to dependent services that change the state of data.
It typically manifests as one or many manual processes that evolve or mature over time to become automated and repeatable. To engage in a workflow an individual must have access.
Workflow is foundational to all other elements in a business because no service is performed in isolation.
Evidence of workflow is key to identifying if a service exists, if it is done by the company itself, or outsourced, or a mixture of both.
No thing or no one can ever be made 100% secure – there is no such thing as a perfect security program
Structure
Content
Data
Workflow
Accessibility
Digital
?
Structure
Content
Data
Workflow
Accessibility
Outsourced?

System
Asset
Owned?
Property?
Contractor?
Employee?
Leased?
Monitor all risk mitigation efforts and ensure they are timely and efficient
Ensure any
New
risks are registered
Report any mitigation efforts that are "off course" and direct the correct personnel to correct
Align or re-align efforts to mitigate risk
Organizations that do not manage security risk are vulnerable to situations that could disrupt, damage or destroy their ability to conduct business.
Vulnerability
Assessment
Threat
Assessment
Threat Categories
Natural (hazards - hurricane, flood, earthquake, etc)
Accidental (fire, drop, spill, etc)
Intentional (criminal, malicious tampering, etc)
Threat sub-category
Internal (owned or leased human or system)
External (outside of organizational influence)
Vulnerability Categories
Cognitive or communicative vulnerability - can't understand
Economic vulnerability - economic situation makes it vulnerable
Social vulnerability - coerced or social engineered behavior
Legal vulnerability - legal rights mis-management
Vulnerability
sub-category
Time - vulnerable window of time: short term to forever
Place - only vulnerable at specific location
Given all potential
Threats
based on the scope and context of an organization's business
Assess
each of the business
core services

Compliance
Administration
Human Resource
Finance
Communication
System Resource
Strategy
Assess
business
archetype elements
obtained from overall business assessment
Manufacturer, Inventor, Service Provider, Lessor, Wholesaler/Retailer, Broker, Trader
Full transcript