Upload
devyn-brakefield
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
ENTERPRISE SECURITY RISK MANAGEMENT SECURITY AND THE ISO31000 STANDARD?
Julian TalbotJakeman Business Solutions Pty Ltd
ISO 31000 Conference 21-22 May 2012
G31000 the Global Risk Management Platform
Once upon a time…
Pre-4360
AS/NZS 4360
31000
Integrated RM
4360(1995)
F earU ncertaintyD oubt
31000
ISO31000
• Principles• Framework• Process
Communication and
Consultation
Monitoring and
Review
Risk Assessment
Establish the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Why ISO31000 works for Security?
Why ISO31000 works for Security?
• ‘Apples for apples’comparison:– taxonomy (eg: likelihood and consequence)– risk assessments by different assessors– Longitudinally– between divisions or other organisations– against environmental, safety, financial risks
• Better decisions and allocation of resources• Permission to add value• Ability to integrate methodologies
Communication and
Consultation
Monitoring and
Review
Risk Assessment
Establish the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Enterprises…
• $30 billion budget• 120,000 people• 8,000 facilities• 41 Risk Criteria• 15 Divisions
www.riskebooks.comJulian Talbot (ASIS 2009) 8
Australian Trade Commission (Austrade)
• Assists Australian businesses to export• 1,400 staff in 60 countries• 120 offices including 22 Consular posts• $400 million annual budget
Understanding the risks
• Official sources including– Department of Foreign Affairs & Trade (DFAT)– National Threat Assessment Centre (NTAC)
• Open source and commercial providers• Internal capability
– Austrade posts and officers– Austrade Security Team
• Security Risk Assessments• Incident reporting
Terrorism
Source: Nationmaster.com
Assault
Source: Nationmaster.com
Fraud
Source: Nationmaster.com
Enterprise Security Risk Assessment (ESRA)
• Defensible, systematic and robust basis for decision making and planning
• Provide senior management with an assessment of current and emerging risks
• Inform the development and application of ongoing budgets and security measures
Enterprise Security Risk Assessment (ESRA)
• Whole of organisation/enterprise• Inform budget and systems planning• Known & emerging threats to the ‘business’
– Not location, activity or function specific
• ‘Enterprise Security Standards’– Based on location, activities and functions
Enterprise Security Standards
1 2 3 4 5
VC S M M M M-Crypt
IMG S M M M-Crypt
PMV S M M M-Crypt
Esp. S M M-Crypt M-Crypt M-Crypt
VC S1 S2 2343-R1 2343-R2 2343-R2IMG S 2343-R1 2343-R2 2343-R2PMV S 2343-R1 2343-R2 2343-R2Esp. S S M 2343-G0
VC M M M10 M11 M12
IMG M M M10 M11 M11
PMV M M M10 M11 M11
Esp. M M M10 M11 M12
10 Pick-resistant hardened
11 Pick-resistant hardened, controlled profile
12 Pick-resistant hardened, restricted profile, organisation-endorsed
THREAT LEVELS
Intruder Alarm System
Window Treatments
Locks
Results…
• Austrade:– 5 year $60 million security plan– Robust, well documented analysis– Business case - AUD$18.4 billion exports with
Austrade assistance (vs $12M p.a. on security)• Defence– 5 year $300 million security plan– Included - $120 million existing treatments
• Finance– 3 year $2 million security plan– Proportional - to the agency
Last points…
1. All SR Managers2. Something free?3. Business card?4. Been robbed? 5. Been a robber? 6. Illegal drugs?7. Been to Africa?8. Papua New Guinea?9. Motorcycle license?
Last points…
1. All SR Managers2. Be prepared3. Time critical4. Emotional decisions5. Red teaming6. 15% of the economy7. It’s personal!8. Big risk taker!9. HUGE risk taker!