Security Principles & Practices (21%) Flashcards
Who is accountable for protecting the organization?
Leaders of Each Operating Unit
The Organization’s Security Function
Risk assessment, Policy & Supporting Infrastructure
Who reports to a senior-level executive to ensure a strong liaison with leadership, demonstrate commitment and support and highlight the importance of security?
CSD
Security department placement in the organization impacts its ability to:
- Expert influence
- Remain informed
- Garner resources to support programs and strategies
Key competencies of the CSO
- Staff developer
- More strategies than tactical
- Highly ethical
- Responsible & dedicated
- Risk and crisis handler
Security Managers
- Security managers are security specialists and business managers
- Effective security managers are the business partner
- Security managers should be in Senior management
Ratio of direct reports to a single supervisor
Span of Control
A limited number of direct reports
Effective Management
The number depends on:
- Mature of work
- Type of organization
Generally 1 ; 10 is best, but…
1 to 100 is possible with technology & flattened organization
Management is less important in team environments and flat organizations
And individual reports to only one supervisor
Unity of Command
Three tools of a strategically-managed assets protection program
- Planning
- Management
- Evaluation
Assets Protection Program Management
A single office (or person) should be the assets protection focal point
Convergence
- 2005 definition (ASIS): the integration of traditional & IT security
- Contemporary definition: the merging of various fields to protect critical assets
Factors that change the understanding of and approach to assets protection:
- Threats mutate
- Technology advances
- Management evolves
- Business transforms
Five avenues to address risk:
- Acceptance
- Avoidance
- Reduction (mitigation)
- Spreading
- Transfer
Balancing security and legal considerations:
- Strong security alleviates the need for legal protection
- Strong legal protections alleviate the need for security
- Finding the appropriate mix of both solutions is the key
Five D’s (used to be 3 D’s)
Deter
Deny
Detect
Delay
Destroy
Five forces shaping assets protection:
- Technology and touch
- Globalization in business (increases risks to)
- Standards & regulation
- Convergence of security solutions
- Homeland Security & the international security environment
Globalization in business (increases risks to)
- Business transactions
- Information assets
- Product integrity
- Corporate ethics
- Liability
- Far-flung people and facilitiates
The most effective defense-in-depth program mixes
- Physical measures
- Procedural measures
- Electronic measures
Defense - in - Depth
Effective Security measures are not oppressive or burdensome
Sarbanes-Oxley Act of 2002
- Formerly known as the Public Company Accounting Reform & Investor Protection Acts of 2002
- Became Law on July 30, 2002
- Passed in response to accounting Scandals at public companies in the late 1990’s and 2000’s
- Established new accounting standards and business practices for US public companies, their beards, and the public accounting firms that serve them
- Requires CEO to certify, the accuracy of their organization’s financial statements
Surbanes-Oxley Act of 2002 (Ctd..)
- Compliance (particularly w/ Section 404) significantly burdens companies’ officers and boards and imposes both civil a criminal penalties on violators who commit fraud
- Established the Public Company Accounting Oversight Board
Sarbanes - Oxley Acts of 2002 (Ctd…)
- Requires all publicly traded companies to have anonymous reporting methods for questionable accounting or auditing activities
- Limits an organization’s ability to provide strictly internal reporting mechanisms
Standards in General
Address specific needs (like technical issues) health, safety, or environmental concerns, quality or compatibility require
Compliance with a standard is voluntary but a regulation may require compliance with a standard
Nine main types of standards
- Basic
- Product
- Design
- Process
- Specification
- Code
- Managment systems
- Conformity assessment
- Personal certification
International Organization for Standardization (ISO)
- ISO is not an acronym “ISO’s” Greek for “equal”
- The world’s largest standards developer, based in Geneva, Switzerland
- Non-governmental organizations; participants are volunteers
- Does not regulate legislate or enforce
ISO (cntd…)
- A network of national standards institutes from 159 member countries; each has one vote - the US representatives is the American National Standards Institute (ANSI)
- ISO standards often become recognized as industry best practices and defacto market requirements
ISO (cntd…)
- Based on international consensus, ISO standards address the global business community & are developed only when there is an identified market need or to facilitate international or domestic trade; ISO standards are designed to be globally relevant
- Employs a transparent process for developing standards based on consensus among the interested parties, not by majority vote: all major concerns & objections must be addressed
ISO (cntd…)
- Approximately 1000 technical groups in which more than 50,000 experts participate annually
Forged in 1916 as “clearing house” for Standards Developing Organizations (SDO’s) in the U.S.
ANSI
An organization’s, company, agency or group that develops standards
SDO
Administrator & coordinator of the U.S. private sector voluntary standardization system
ANSI
ANSI
Decentralized & partitioned into industrial sectors and supported by hundreds of private sector SDO’s
The only creditor of US Voluntary Consensus SDO’s
- 600 SDO’s in the US
- 200 SDO’s accredited by ANSI to develop American National Standards including ASIS NFPA & SIA
ANSI
The sole US representative to the two major non-treaty international standards
Organizations: ISO & IEC (International Electrotechnical Commission)
ANSI
Represents more than 125,000 companies and organizations & 3.5 million, professionals worldwide
ANSI
Provide broad descriptions of how operations will be conducted
Policies
May be affected by different regulations for different businesses such as:
- Minimum wage (Federal & State) FMLA OSHA
- Regulations for government data
- Building codes
Policies
- Should be useful & simple without overloading employees
- Should be developed closely with managers
- should provide details of operations & the efforts of policy changes
- Should create management buy-in through collaboration in development
Security Policies
- Establish strategic security objectives & priorities
- Identify those accountable for physical security
- Set forth responsibilities & expectations for managers, employees & others
Procedures
- Instruct employees how to react to various issues
- Are clearly articulated to prevent confusion
- Address a wide variety of topics including all topics important for daily functions
- Are widely promulgated & refreshed with employees regularly
Procedures
- Reflect the ideal functionality of the organizations
- Support proper staff behavior & facilitate a hospitable safe workplace
Security Procedures
- Are detailed implementation instructions for staff to carry out security policies
- Are often overlooked as an asset protection tools
revised procedures can enhance security while improving bottom-line
What has been extended into streets and other public areas?
Premises Liability of Owners
ASIS facilities Physical Security Measures guideline defines risk management as a business discipline consisting of what three major functions?
- Loss prevention
- Loss control
- Loss indemnificaiton
Risk Assessment
A proactive strategy for security/risk mitigation supports sustainable, healthy, productive organizations and is a critical responsibility of senior leadership & governing boards
What was developed in the insurance industry?
Risk Assessment
Who should be responsible for all of the organization’s security/risk strategy
Senior Executive
An uncertain situation with a number of possible outcomes, one or more of which is undesirable
Risk
What does risk include?
all negative events for an organization their impact likelihood & how soon they may occur (imminence)
Two things that risk assessment does with all risks
Defines & Quantifies
3 things risk assessment techniques may be
- Heuristic (ad hoc)
- Inductive (qualitative) (bottom-up approach)
- Deductive (quantitative) (top-down approach)
Inductive
(qualitative - bottom-up approach)
1. risks identified at the beginning of the analysis
2. Identified risks are the starting point not the result
3. This method may produce incomplete results
4. This method makes use of “event trees” that trace an initiating event through a sequence with different possible outcomes
5. Does not readily lend itself to feedback loops in the event trees
6. This method focuses on scenarios which may fail to account for concurrent attacks
Deductive
quantitative - top-down approach
- Risks result from a systemic deductive top-down approach
- Uses “logic diagrams” & “fault trees” along with event trees
When an entire population is at risk
Societal Risk
Risk assessments attempt to find answers to three primary questions
- What can go wrong?
- What is the likelihood of it going wrong?
- What is the impact if it goes wrong?
Risk management attempts to answer four primary questions:
- What can be done about identified risks?
- What options are available?
- What are the associated trade-offs of the options?
- What are the impacts of current management decisions on future options?
5 things that risk assessments include
1. Identifying internal & external threats & vulnerabilities
2. Identifying the probability and impact of an event arising from such threats or vulnerabilities
3. Defining critical functions necessary to continue the organization’s operations
4. Defining the controls in place exposure
5. Evaluating the cost of such controls
Risk Formula
R = T x A x V
R = Residual risk
T = Threat a combination of threat definition & likelihood of an attack
A = Asset to be protected
V = Vulnerability represented by system effectiveness
Coordinated activities to direct & control an organization with regard to risk
Risk Management (ISO)
Although definitions of risk management vary, they generally agree that it relies on
- Risk assessment (which relies on a vulnerability assessment)
- Threats
- Asset value
- Vulnerability
Major types of risk assessment
- Quantitative (hard numbers, history statistics)
- Qualitative (“feel” predictions experience etc.)
Security typically relies on qualitative not quantitative assessment
Risk is expressed in:
- Threat
- Consequence (impact)
- Vulnerability (likelihood probability)
Risk Analysis Includes
- Risk assessment
- Risk evaluation
- Risk management alternatives
A recommended approach for conducting a general risk assessment
- Understand the organization & identify the people & assets at risk
- Specify loss risk events/vulnerabilities
- Establish the probability of loss risk & frequency of events
- Determine the impact of the events
- Develop options to mitigate risks
- Study the feasibility of implementation of options
- Perform a cost/benefit analysis
The value of a risk analysis depends upon…
The skill of the analysis
Higher risk in high-rise buildings
1. More people = more property & more property = more opportunity for crime
2. More people = more chances of internal crime
3. More people = more anonymity
4. Easy access to the public in CBO’s - easy access to mass transit
5. Elevators & stairwells can be risky places
Higher risk in high-rise buildings…ctd
- Risky, neighboring tenants
- Tough to control threats & respond to incidents (too many people & environment is complex)
- Evacuations are difficult
- More critical threats in high-rise include fire, explosion & contamination
- The ability to mitigate threats for high-rise depends on structural design & use of technology to:
- Deter & detect a threat
- Communicate a threat’s nature & location
- Initiate automatic or Org. responders
3 General types of assets
- People
- Property
- Information
Tangible assets can be seen, touched or directly measured in physical form
- Facilities/buildings
- Inventory
- Cash
- Supplies / Consumables
Equipment, raw, materials, accounts payable, telecom systems, other capital assets
Intangible assets can include
- Reputation & image
- Brand recognition & loyalty
- Vendor diversity
- Past performance
- Quality assurance processes
- Workforce retention
- Human capital development
The amount of protection require by an enterprise is a function of:
- Value of the asset
- Risk tolerance of the enterprise
Three general methods of valuing assets
- Dollars (most important measures)
- Consequence criteria
- Policy (prescribed protection levels)
Asset value may be expressed in…
- Criticality
- Consequences of loss
- Severity
Cost-of-loss Formula
K = (Cp + Ct + Cr + Ci) - I
K = Criticality, the total cost of loss
Cp = Cost of permanent replacement
Ct = Cost of temporary substitute
Ci = Lost income
I = Insurance
A loss isn’t measured just by replacement it also includes:
Lost income
Sales
Downtime
(Indirect Costs)
Security losses are:
- Direct (money, negotiable instruments, property, information..)
- Indirect (harm to reputation, loss of goodwill, loss of employers, harm to employees morale…)
Threats & Less Events
Pure Risks
Crime
Conflicts of Interest
Natural disaster
Civil disturbance
War/insurrection
Terrorism
Accident
Maliciously willful or negligent personal conduct
Less risk event (threat) categories
Crimes
Non-Crime (human or natural)
Consequential
Threat classes
- Insiders
- Outsiders
- Collusion
Threat Tactic Categories
Deceit
Force
Stealth
Combination
A detailed list of threats; key to determining the Design Basis Threat (DBT)
Threat Spectrum
The threat against which countermeasures are designed to protect
Design Basis Threat (DBT)
Motivation
Tools
Competence
Knowledge
Threat Considerations
A risk analysis that considers the entire threat spectrum must be performed because…
As the threat increases, performance of individual security elements or the system as a whole will decrease
Cost Abatement
Coverage of losses by Insurance
- Insurance pay-off should be subtracted from the total loss of an asset
- Insurance payments & premiums should reduce the insurance pay-off
Nine probability factors for threats & loss events
- Physical environment (neighborhood & vicinity)
- Overall geographical location
- Social environment
- Political environment
- Economic environment
- Historical experience for the organization
- Historical experience for the industry
- Procedures & processes
- Criminal state-of-the-art
Threat likelihood may be expressed in
Frequency
Probability
Qualitative estimate
A weakness that can be exploited by an adversary
Vulnerability
The process of identifying & quantifying vulnerabilities
Vulnerability Assessment
A method of identifying the weak points of a facility, entity, venue or person
Vulnerability Analysis
A vulnerability assessment is used to…
Determine PPS effectiveness
What determines system requirements before design & implementation
Vulnerability Assessment
A frequency of vulnerability assessments
- Before system implementation
- Upon upgrades
- Periodic system effectiveness tests
A vulnerability assessment should include
- Facility & operations description (facility characterization)
- Threats & assets
- Constraints related to the VA or the site
- Existing countermeasures
- Vulnerabilities in countermeasures
- Baseline analysis of system effectiveness
- Recommendations for countermeasures improvement
- Analysis of expected improvements
A site survey is part of the vulnerability assessment
Types of Testing
- Functional test (components are performing as expected)
- Operability testing (components are being used properly)
- Performance testing (repeats tests to determine component effectiveness against different threats)
Testing Approaches
- Compliance - based
- conformance to specified policies or regulations
- “Feature-based” approach
- Effective only for low threats, low less impacts, and CBA - supported cost decisions
- Easier to perform
- The metric for this analysis is the presence of the specified equipment & procedures
Testing Approaches
- Performance-based
- Evaluates how much element of the PPS operations
What is the biggest mistake made when conducting a Vulnerability Assessment?
Concentrate on individual PPS components & address upgrades only at that level, not at the level of the overall system
Three primary functions of a PPS to be tested
- Detection measures
- Delay measures
- Response measures
Detection Measures
- Probability of detection
- The time required to report & assess alarms
- Includes entry controls
Delay Measures
- Layers of security sum up to total delay time
- Delay time considered after detection
Response Measures
- Time to interruptions of the adversary
- Accuracy of deployment
An effective assessment system provides two types of information
- Whether the alarm is valid or nuisance
- Key details about the cause of the alarm (what, where, how many)
Containment Strategy
- Detect - prompt detection & reliable notification
- Delay - extend adversary task time
- Respond - timely, aware, equipped, and trained responses
Carver & Stock vulnerability assessment
- Developed by US government during WW2 as targeting process
- Declassified in 2003
- Criticality (impact of the attack)
- Accessibility (ability to get in & out)
- Recoverability (ability of target to recover)
- Vulnerability (ease of compromising target)
- Effect (direct loss)
- Recognizability (target identifiability)
- Shock
Risk Management Options
Mitigation
Acceptance
Transfer
Spreading
Avoidance
* Risk Financing = Insurance
Risk can be reduced in 3 ways
- Prevent the attack
- Protecting against attack
- Mitigating consequences of an attack
Mitigation means reducing consequences
- Mitigation focuses solely on reducing consequences
- It may be implemented before during and after the attack
General categories of risk reduction
- Equipment & hardware
- Policies & procedures management
- Staffing
Mitigation strategies must be evaluated by…
- Availability
- Affordability
- Feasibility
- Application to operations
Except for certain high-value irreplaceable items an organization should base its protection strategies on a realistic cost-effective rationale
What are the least expensive counter-measures one can employ for asset protection tools?
Procedural Controls
* Revised procedures can enhance security while improving the bottom line for the enterprise
A phrase that defines a call-to-order for assistance against a crime similar to “observe & report” of today
Hue & Cry
“Shire-Reeve was later shortened to?
Sheriff
What was first described as “the king’s peace”
Government Policing
* Civil torts became crimes against the king’s peace; the “state” collected penalties instead of the people obtaining civil judgments
Name of the first police department organized by Sir Robert Peel in London, 1829?
The Peelers
Arrangements of public safety policing
- Private environment supplement
- Public Environment Replacement
- Public Environment Supplement
Public safety policing model structure
- Tactical operations
- Technological systems
- Order maintenance provisions
When do “private police” have arrest powers?
Only when they are on duty
(may include qualified immunity)
7 Distinctions between public & private policing
- Public police - duty sworn
- Public police - monopolized service is less efficient even complacent
- Public police - constitutional protections apply
- Private police - employed by private firms
- Private police - a perception of lacking the same authority as public police
- Private police - tends to focus on loss reduction or asset protection
- Private police - provider competition drives better service & value
The success of privatized police requires
Competition
Accountability
Standards
Private Policing
Low priority call handling like residential alarms: 20% = crimes, 80% = non-emergencies
Community policing efforts are expensive & resource-intensive
Fear of crime is exacerbated by signs of criminal activity
What 2 activities represent chaotic conditions that result in more serious criminal activity?
Incivility & Disorder
* If incivility is not perceived to be a problem resident may be able to cope with higher rates of crime
Order Maintenance
- Used in community policing, may reduce crime (lack of order can lead to high crime or fear)
- A core goal of community policing is to focus on fear reductions through order maintenance techniques
- A disorder is characterized by reduced social controls, such as panhandling, loitering, youth taking over parks & street corners, public drinking, prostitution, graffiti, and other disorderly behaviors
Order Maintenance (ctd…)
- Disorder tends to cause a greater sense of risk & loss of control
- The disorder causes more awareness of the consequences of a criminal attack
- As disorder causes crime to increase the community sinks further with conditions that lead to even more crime
- An alternative theory to socioeconomic impact of crime is that the completion of a crime simply requires the convergence in time & space of an offender a suitable target, and the absence of guardians
3 Categories of consultants
- Security management consultants
- Technical security consultants
- Security forensic consultants
Security Consultants
Which roles may undertake forensic assignments
Security management consultants & technical security consultants
Security Consultants
The decision to retain security consulting services is typically driven by a specific…
Problem
Need
Challenge
Goal
Security Consultants
Security consultants might be retained because…
- lack of in-house time or specialized knowledge
- Need for objective assessment particularly for liability or due diligence situations
- Need for fresh ideas, or independence from internal politics
- Need for flexibility of contracted personnel
- Recognition that management may be more amenable to a consultant’s ideas because of broader experience industry knowledge
Security Consultants
Resistance to the use of security consultant usually reflects concerns
- Asking for outside help suggests the security staff is incompetent
- A negative report from an outsider reflects unfavorably on the security program
- The organization’s policies & procedures could be compromised by an outsider who would become intimately familiar with the enterprise
Effective security programs typically include a well-thought-out array of security measures
Finding a security consultant
- Best source: Referral from a colleague
- Industry associations with consultants as mentors
- Industry - specific associations
Professional consultants are restrictive in the assignments they will accept
- Most consultants specialize & may not see themselves as suited for every need
- Clients should be cautious of a consultant claiming to be able to address all aspects of security
Security Advisory Committee (SAC)
Comprised of members from key corporate functions
- Chaired by a project coordinator
- Members should have stature & creditability
- Members should be able to offer useful opinions about security
SAC Purposes
- Determine adequacy of security measures determine if a consultant is necessary
- Critically examine the security program
- Maintain general oversight of security program
- Assist in meeting corporate & government requirements
SAC Objectives
- Review the corporate security program at least quarterly
- Determine if additional protective measures are needed
- Advise of any needed changes to security policies or procedures
- Review new program suggestions
- Field criticism or suggestions
Security Awareness
- “An asset’s protection program will not succeed unless it cultivates the willing cooperation of those affected by it & meshes its goal with the personal goals of the workforce
- Means consciousness of the program its relevance and individual risk responsibility
- Is a continuing attitude that encourages actions in support of security
- Solicits conscious attention and is embraced by senior personnel
Security Awareness (cntd…)
- Causes all personnel to become force multipliers
- Highlights the program’s contribution to financial goals
- Conveys the program’s benefits & ROI
- Conveys to middle management support of business goals
- Conveys to supervision the program’s value
- Is refreshed more often than just at new hire orientation
- Is explained in depth to non-employees
One of the most cost-effective assets protection tools is…
Security Training & Awareness
One of the most important missions of security awareness is…
To familiarize employees with the organization’s policies & procedures
Two categories of employees fail to follow policies
Uneducated Employees
Arrogant Employees
Security Awareness Potential Obstacles
A cooperative employee is less likely to circumvent security
