Hawk sight sra training

SECURITY RISK ASSESSMENTWITH

Paul Mercer

SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT

Day 1 Lesson 1 – Introduction Lesson 2 – Adding a new Client and

Project Lesson 3 – Adding Project Context

SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT

Day 2 Lesson 4 - Security Threat Analysis Lesson 5 – Critical Asset Assessment Lesson 6 – Control Level Effectiveness

Assessment

SECURITY RISK ASSESSMENT TRAINING USING HAWK SIGHT

Day 3 Lesson 7 – Security Risk Analysis &

Evaluation Lesson 8 – Security Risk Treatment Final Exercise Course Wash up

AN INTRODUCTION TO SECURITY RISK ASSESSMENT

Lesson 1

WHAT IS A SECURITY RISK ASSESSMENT (SRA)?

A Security Risk Assessment offers a structured means of

determining the Threats to, and

Vulnerabilities of an Organisation, Community or

Individual” SRMBOK:2008

WHY DO WE NEED TO CONDUCT A SECURITY RISK ASSESSMENT (SRA) ?

To reduce uncertainty…. “A risk based approach to

security ensures improved corporate governance and transparency of decision making through managing risk that threaten the on-going sustainability of the organisation” AS/NZ 4360:2004

“To shape operational activities and optimise the allocation of resources” SRMBOK:2008

HOW DO WE CONDUCT A SECURITY RISK ASSESSMENT (SRA)?

Security Risk Managem

ent HB167

Ente

rpris

e Ri

sk M

anag

emen

t IS

O 3

1000

WHAT IS HAWK SIGHT ?

Hawk Sight is a Security Risk Assessment calculator. It speeds up the analysis process by automating the

risk analysis methodology, thereby significantly reducing the time required to produce the Security Risk Assessment report.

Used by a trained Security Risk Consultant it will facilitate standardised, ISO 31000 compliant Security Risk Assessments, and ensures continuity in the Security Risk Assessment process, allowing like for like comparison across all Security Risk Assessments, regardless of organisation type or country of operation.

INTERNATIONAL RISK STANDARDS

ADDING A NEW CLIENT AND PROJECTS

Lesson 2

ESTABLISHING A PROJECT IN HAWK SIGHT Sign in at http://maxwelllucas.digitalpilgrims.co.uk using

your designated username and password.

ADDING YOUR NEW CLIENT TO HAWK SIGHT

ADDING YOUR CLIENT DETAILS

ADDING YOUR CLIENT DETAILS

ADDING YOUR CLIENT CONTACT DETAILS

ADDING CLIENT CONTACT DETAILS

ADDING A NEW PROJECT TO YOUR CLIENT

ADDING YOUR CLIENT CONTACT DETAILS

ESTABLISHING PROJECT CONTEXT

Lesson 3

ESTABLISHING PROJECT CONTEXT – WHY?

“To gain an understanding of what our client does and how they do it in order we can recommend security

controls that match the needs of the client, the physical and regulatory

environment in which they operate, as well as meeting international

standards and best practice”

STRATEGIC CONTEXT

“Allows us to “gain an understanding of the external environment in which the

organisation is operating or may be operating [in the future in order to] identify any factors that may have an effect on the organisation or the way it does business”

HB 167:2006

OPERATIONAL CONTEXT

“To agree an understanding of the organisation itself, and any issues that may influence its exposure to security risk or the

activities undertaken to manage them. In other words, what do they do and how do

they do it.”

SECURITY RISK MANAGEMENT CONTEXT

How does the client currently manage Security Risk. How do they Identify, Assess,

Evaluate and Treat Security related Risk?

Developing The Security Risk Management Context provides the scope, parameters and plan for undertaking the proposed

Security Risk activities.

LOGON TO HAWKSIGHT

Sign in at http://maxwelllucas.digitalpilgrims.co.uk using your designated username and password.

SELECT THE COMPANY CREATED IN L1

SELECT THE PROJECT CREATED IN L1

ADDING THE PROJECT CONTEXT

STRATEGIC CONTEXT

OPERATIONAL CONTEXT

SECURITY RISK MANAGEMENT CONTEXT

Previous Incidents

SECURITY RISK MANAGEMENT CONTEXT

Consequence

WHAT IS CONSEQUENCE?

“The consequences of any security event are assessed with reference to the potential damage to the client

should the Risk occur and may be defined in terms of effect on the achievement of client’s objectives, or

possible impact on meeting defined business, financial, management, operational, safety, security and

environmental requirements, in terms of the legal and regulatory framework or impact to reputation”

“In analysis the consequence against likelihood the approach adopted for security risks in this assessment reflects international best practice (HB 167) and is to

take the most probable worst case scenario”

DETERMINING CONSEQUENCE IN HAWK SIGHT

SECURITY RISK MANAGEMENT CONTEXT

Risk Matrix

DETERMINING THE STRUCTURE OF THE RISK MATRIX IN HAWK SIGHT

DETERMINING THE STRUCTURE OF THE RISK MATRIX IN HAWK SIGHT

Editing the Risk Matrix Edited Matrix Showing Greater Risk Tolerance

SECURITY RISK MANAGEMENT CONTEXT

Risk Levels

DETERMINING RISK LEVELS IN HAWK SIGHT

SECURITY RISK MANAGEMENT CONTEXT

Target Attractiveness

DETERMINING TARGET ATTRACTIVENESS IN HAWK SIGHT

SECURITY RISK MANAGEMENT CONTEXT

Business Resilience

WHAT IS BUSINESS RESILIENCE?

“Business Resilience, or Post Incident Vulnerability (V2), is the robustness and ability of the asset, facility or system to

withstand attack and / or maintain service in the event of damage or disruption”

DETERMINING THE LEVEL OF BUSINESS RESILIENCE IN HAWK SIGHT

PROJECT CONTEXT - SUMMARY

Strategic Context Operational Context Security Risk Management Context

Researching Previous Incidents Determining Consequence Criteria Determining Risk Tolerance though the Risk

Matrix Determining Risk Level Response Determining Target Attractiveness Determining levels of Business Resilience

SECURITY THREAT ANALYSIS

Lesson 4

UNDERSTANDING SECURITY RISK AND SECURITY THREAT

Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.

Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.

SECURITY THREAT SOURCE

The Source of a Security Threat is defined as is the

origin at which the Threat emanates be

that a human or non human source

which may be external or internal to the project under

review.

THREAT SOURCE

Threat sources may be categorised as follows: Military Threats to Security from Other States Security Threats from Non State Actors Economic Threats to Security Criminal Threats to Security Social and Religious Threats to Security Health Threats to Security Natural Threats to Security Environmental Threats to Security Accidentally Occurring Threats to Security

THREAT DRIVER

The motivation of a human source or the non human trigger event for a threat to

occur.

DEFINING THE LEVEL OF THREAT

Human Threat Intent refers to covert, implicit, or expressed

aims, goals, objectives, desires or directions of a human threat source, as identified in historical trend data, similar previous incidents and collected intelligence.

Capability refers to the attributes of a human threat source that enable a human Threat to occur, such as skills and knowledge, access to material and financial resources, time and supporters.

INTENT

Determined Threat Source has acted in the last 2 years Drivers/motivational factors still exist

Expressed Threat Source has not been active in the past 5

years Driver/motivational factors still exist

Little Threat Source has not been active for more than 5

years No known driver or motivational factors exist

CAPABILITY

Extensive Potential protagonist has proven capability and

the means to implement the threat effectively against the asset type.

Moderate Potential protagonist has limited proven capability

and resources to implement the threat effectively against the asset type.

Low Potential protagonist has no proven capability and

no resources to act against the asset.

NATURAL OR NON-HUMAN THREAT

Potential refers to the incidence of a non-human Threat and the circumstantial, climate and geographic factors that can trigger it or increase its propensity to occur, as identified in historical trend data, past events and scientific estimates.

Capacity refers to the ability of a non-human Threat to do harm and the factors that can amplify its damage potential, calculated from similar previous incidents and scientific estimates.

POTENTIAL

Likely Threat Source has been active itself in the last 2 years Conditions still exist that might trigger activity

Possible Threat Source has not been active in the past 5 years Conditions still exist that might trigger activity

Improbable Threat Source has not been active for more than 5

years Conditions do not exist that might trigger activity

CAPACITY

Extensive Source of threat has proven capacity to cause multiple

human fatalities and total disruption of business operations.

Moderate Source of threat has proven capacity to cause multiple

injuries to personnel and significant disruption of business operations.

Low Source of threat has no proven capacity to cause

significant injuries to personnel or significantly affect any business operations.

CALCULATING THREAT LEVEL

  Intent/Potential

  Little/

Improbable

Expressed/

Probable

Determined/

Likely

Capability/Capacity

Extensive Moderate High Extreme

Moderate Low Significant High

Low Low Moderate Significant

ENTERING THREAT DATA INTO HAWK SIGHT

There are 2 ways to enter Threat Data into your project: Adding/Editing Threats Manually to the

Hawk Sight database Selecting pre entered Threats from the

Hawk Sight database

ENTERING THREAT DATA INTO HAWK SIGHT

THREAT DATA PAGE

ADDING/EDITING THREATS MANUALLY

USING PRE ENTERED THREATS FROM THE DATABASE

THREAT DATA PAGE

THREAT DATA SELECTION

CRITICAL ASSET ASSESSMENT

Lesson 5

WHAT IS A CRITICAL ASSET ASSESSMENT?

“The Criticality Assessment attempts to prioritise organisational infrastructure, asset or elements by

relative importance or dependence on that element”

SRMBOK2008. p 154

WHAT ARE CRITICAL ASSETS?

Critical Assets are characterised as:

People Physical Property Information Information &

Communication Technologies (ICT)

HOW CAN WE DEFINE PROJECT ASSETS?

3 Steps:1. Gain an overall understanding of what

the project objectives2. Breakdown the processes involved in

achieving these objectives (Process Mapping)

3. Identify the People, Physical Property, Information and ICT that are needed to support these objectives

ESTABLISHING CRITICALITY

We must consider the impact of the loss of functionality of the asset and the associated impact on the relevant process. Loss of the asset is assessed in terms of: Cessation of critical process Short term recovery capability Serious or prolonged reputation

damage

ESTABLISHING CRITICALITY

Criticality is Assessed as:

Extreme High

SignificantModerate

Low

ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT

ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT

DEFINING IMPACT

ENTERING CRITICAL ASSET DATA INTO HAWK SIGHT

Haulage operations from Karachi, Pakistan to Helmand, Afghanistan

ASSIGNING THREAT TO AN ASSET

Haulage operations from Karachi, Pakistan to Helmand, Afghanistan

ASSIGNING THREAT TO AN ASSET

ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET

Haulage operations from Karachi, Pakistan to Helmand, Afghanistan

ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET

CONSEQUENCE CRITERIA DEFINED IN LESSON 3 – PROJECT CONTEXT

ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET

ASSIGNING TREATMENT OPTIONS

Tolerate the Risk- if, after controls are put in place, the remaining risk is deemed acceptable to the organisation, the risk can be retained. Transfer the Risk - this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc.Terminate the Risk - decide not to proceed with the activity likely to generate the risk.Treat the Risk – through implementation of preventative controls measures, policies & procedures, contingency planning, disaster recovery & business continuity plans

ASSIGNING TREATMENT OPTIONS IN HAWKSIGHT

CONTROL LEVEL EFFECTIVENESS ASSESSMENT (CLE)

Lesson 6

WHAT ARE SECURITY CONTROLS?

“Process, policy, device or other action that acts to minimise negative risk or

enhance positive opportunities”

AS/NZ4360:2004 Risk Management Standard p 342

SECURITY CONTROL TRIANGLE

Policy & Procedure

Physical &

Manpower Technology

ASSESSING CLE USING HAWK SIGHT

ASSESSING CLE USING HAWK SIGHT

ASSESSING CLE USING HAWK SIGHT

HAWK SIGHT SECURITY CONTROLS CHECKLIST

HAWK SIGHT SECURITY CONTROLS CHECKLIST

HAWK SIGHT SECURITY CONTROLS CHECKLIST

HAWK SIGHT SECURITY CONTROLS CHECKLIST

ASSESSING CLE USING HAWK SIGHT

SECURITY RISK ANALYSIS &

EVALUATION

Lesson 7

WHAT IS SECURITY RISK ANALYSIS?

To assess the Impact and Likelihood of each identified Threat against each Critical Asset to define the

Security Risk Level

HOW IS SECURITY RISK ANALYSIS CARRIED OUT?

Need to compare data gathered so far, namely:

Consequence Level – Lesson 3 Risk Tolerance – Lesson 3 Risk Response Level – Lesson 3 Target Attractiveness Level – Lesson 3 Business Resilience Level – Lesson 3 Threat Level – Lesson 4 Critical Asset Level – Lesson 5 Control Level Effectiveness Level – Lesson 6

STEP 1 –PRE-INCIDENT VULNERABILITY (V1)

Target Attractiveness

ControlLevel

Effectiveness

  Low Medium Significant High Extreme

Unsatisfactory 6 7 8 9 10

Weak 5 6 7 8 9

Satisfactory 4 5 6 7 8

Good 3 4 5 6 7

Excellent 2 3 4 5 6

STEP 2 –ASSESSING LIKELIHOOD

  Threat Level

Pre Incide

nt Vulnerability (V1)

  Low Medium Significant High Extreme

Extreme 6 7 8 9 10

High 5 6 7 8 9

Significant 4 5 6 7 8

Moderate 3 4 5 6 7

Low 2 3 4 5 6

STEP 3 –ASSESSING IMPACT

  Consequence Level

Business

Resilience Level

  Minimal Minor Moderate Major Catastrophic

Extreme 6 7 8 9 10

High 5 6 7 8 9

Significant

4 5 6 7 8

Moderate 3 4 5 6 7

Low 2 3 4 5 6

STEP 4 –DEFINING RISK LEVEL

EVALUATING IDENTIFIED SECURITY RISKS

SECURITY RISK ANALYSIS USING HAWKSIGHT

SECURITY RISK ANALYSIS WITH HAWKSIGHT

SECURITY RISK REGISTER

SECURITY RISK TREATMENT

Lesson 9

AS LOW AS REASONABLY PRACTICABLE(ALARP)

HAWKSIGHT SIMULTATOR

HAWKSIGHT SIMULTATOR

HAWKSIGHT SIMULTATOR

CORPORATE SECURITY CAPABILITY

PhysicalSecurity

PeopleSecurity

ICT Security

Information Security

SecurityManagement

SECURITY IN DEPTH

HIERARCHY OF CONTROLS

Eliminate

ASSET

Terminate the Risk

Transfer the Risk

Policy and Procedural Controls

Technology Controls

Physical Controls

Inform

ation

Peop

le

ICT

Phys

ical

JAMES REASON’S SWISS CHEESE MODEL

Deter

Detect

Delay

Respond

Recover

James Reason’s Swiss Cheese Model

REPORT WRITE UP

WORD TEMPLATE

FINAL EXERCISE

Lesson 9

FINAL EXERCISE

Run you own SRA and compare your findings with mine….

The following slides will give you the information you require.

ADMIN USER FUNCTION