Embed Size (px)
Citation preview
Security/Vulnerability Assessment Methodology
Por Michael Scadden, VP of Business Development
04/18/2023JPF 2
Vulnerability/Risk Methodology
Identify Critical Assets
Identify Threats
Determine Impact Determine Likelihood
Determine Necesarry Risk
Mitigation Processes
Identify Current Risk Mitigation
Processes
Adjust Risk Mitigation
Processes to Meet New Standards
Measure the Impact of
Processes on Previous Rates of
Incidents
Determine Cost/Benefit of Implemented
Processes
04/18/2023JPF 3
How to determine a vulnerability or risk:
Threat Asset Risk
04/18/2023JPF 4
What are our assets, threats, and risks?
Assets Threats RiskCritical Assets include but are not necessarily limited to the following:
• People• Processes- Production- Logistics- Marketing- Sales- Relationship development
with stakeholders• Property• Information• Reputation
Threat is any action or event that causes damage or to our critical assets include but are not necessarily limited to the following:• Kidnap of employees• Assault resulting in major
injuries• Loss of life• Hijacking of high value assets• Criminal destruction of assets• Loss of products used in
production of explosives• Narcotics contamination of
logistics lines• Major extortion
Potential that would have consequences for assets and impacts on objectives such as:
• Loss of productivity• Loss of critical
relationships• Increase in regulatory
oversight• Fines• Stakeholder loss of
confidence
04/18/2023JPF 5
Listing Threats:All levels of security or HESQ personnel should be familiar
with Risk Assessment Methodology
Rating is 1-5, 1 being the lowest and 5 the highest:
# Threat Action Threat Actor Description Rating
T1 Narcotics Contamination Local criminal groups
Local criminal groups utilize the shipping lines of international
companies to move narcotics. An occurrence of this type would cause
significant damage to our reputation, legal status, and
potentially stop production for an indeterminate time
5
T2 Theft of (high value asset)
Criminal groups with internal access to
information or employees
Individuals with knowledge of the movement of high value assets such as catalysts used in the ammonium production, could
potentially plan a heist to acquire those materials. This would cause a
significant loss of revenue and some setbacks in production.
4
04/18/2023JPF 6
Listing Critical Assets: Unit Leaders, Country Managers, and HESQ Managers identify and list the Critical Assets in
the vulnerability assessments
Loss of Critical Assets would have an impact on business success
Each Critical Asset is given a rating based on the consequence its loss will have on business success in several areas:
# Assets PurposeEnvironme
ntPersonnel
Reputation
ProcessFinanci
alOverall Rating
A1 PersonnelRun operations that achieve
business success2 5 4 3 2 5
A2 InformationData used in decision making
process1 1 3 4 5 5
A3 Office Supplies Used to complete daily taske 1 1 1 2 2 2
04/18/2023JPF 7
Listing Risks (Likelihood/Impact):
Unit Leaders, Country Managers, and HESQ Managers identify and list risks based on where there is an intersection between a threat and an asset
Write the risk in the following format: Threat Action, Critical Asset, Threat Actor
Each Risk is listed with a Likelihood and an Impact rating of 1-5
# Risk Likelihood Impact
R1Narcotics contamination of products by criminal groups causes a loss of
confidence by regulatory entities3 5
R2Kidnap of personnel by guerrilla elements causing a loss of productivity
and confidence in the company by other personnel2 5
R3 Theft of office supplies by company personnel 4 1
R4Use of products in the production of coca crops leading to a damaged
reputation3 4
04/18/2023JPF 8
Plotting Risks:Very High
High R3
Medium R4 R1
Low R2
Very Low
LikelihoodImpact
Very Low Low Medium High Very High
04/18/2023JPF 9
Risk Mitigation Planning Risk Mitigation Planning prioritizes risks, finds a method and minimum standard to
mitigate the risk, compares current risk mitigation measures, and shows the security gaps that need to be addressed to meet the necessary standard:
Risk by
Priority
Mitigation OptionsCurrent
StandardsRecommended
Accept or reject
Implement by date
Responsibility
Revised
Rating
R1(8)
Reduce LikelihoodUse security,
detection procedures, that are a deterrence
to criminal groups
Drug Canine sweeps, GPS tracking of
vehicle shipments
Rotation of Canines, increase
number of cameras
Reject None None 8
R2(7)
Reduce LikelihoodManage travel of personnel most susceptible to being targeted
Limited travel allowed for personnel
Prohibit travel to areas of
known guerrilla activity
Accept Nov 15 HESQ 6
R4(7)
Reduce LikelihoodClients should be carefully vettedReduce impact through proper
compliance in all sales
New distributors are
investigated before products
are sold
All current distributors should be
investigated every 6 months
Accept Dec 15Security
LegalCompliance
5
04/18/2023JPF 10
Reduce or eliminate security incidents:
•Major Security Incidents*
Objectives will be met when there are zero incidents of the following type:
Kidnap of employees
Assault resulting in major injuries
Loss of life
Hijacking of high value assets
Criminal destruction of assets
Loss of products used in production of explosives
Narcotics contamination of logistics lines
Major extortion
*Major security incidents are not limited to the listed threats
Minor Security or Recurring Incidents*
Objectives will be met when the when there is a significant, cost-effective reduction of incidents of the following type:
Petty theft
Theft of small amounts of product that cannot be weaponized in any way
Theft of low value property or assets
Unauthorized entry to facilities
Minor assault
Petty extortion
Petty vandalism
*Minor security incidents are not limited to the listed threats
