Intro to Security Risk Assessment with HawkSight
-
Upload
paul-mercer -
Category
Software
-
view
367 -
download
8
description
Transcript of Intro to Security Risk Assessment with HawkSight
SECURITY RISK ASSESSMENTWITH
Paul Mercer – Security Risk Consultant
Part 1 – An intro to SRA – 15 minsPart 2 – Security Risk Assessment
Methodology – 1 hrPart 3 – What is HawkSight? - 15 minsPart 4 – Security Threat Analysis using
HawkSight – 1 hr
PART 1 AN INTRODUCTION TO SECURITY
RISK ASSESSMENT
WHAT IS A SECURITY RISK ASSESSMENT (SRA)?
A Security Risk Assessment offers a structured means of
determining the Threats to, and
Vulnerabilities of an Organisation, Community or
Individual” SRMBOK:2008
WHY DO WE NEED TO CONDUCT A SRA?
To reduce uncertainty…. “A risk based approach to
security ensures improved corporate governance and transparency of decision making through managing risk that threaten the on-going sustainability of the organisation” AS/NZ 4360:2004
“To shape operational activities and optimise the allocation of resources” SRMBOK:2008
HOW DO WE CONDUCT A SRA?Security Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
PART 2SECURITY RISK ASSESSMENT METHODOLOGY
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
WHY?
“To gain an understanding of what our client does and how they do it in order we can recommend security
controls that match the needs of the client, the physical and regulatory
environment in which they operate, as well as meeting international
standards and best practice”
STRATEGIC CONTEXT
“Allows us to “gain an understanding of the external environment in which the
organisation is operating or may be operating [in the future in order to] identify any factors that may have an effect on the organisation or the way it does business”
HB 167:2006
OPERATIONAL CONTEXT
“To agree an understanding of the organisation itself, and any issues that may influence its exposure to security risk or the
activities undertaken to manage them. In other words, what do they do and how do
they do it.”
PROJECT CONTEXT - CONSEQUENCE?“The consequences of any security event are assessed
with reference to the potential damage to the client should the Risk occur and may be defined in terms of
effect on the achievement of client’s objectives, or possible impact on meeting defined business, financial,
management, operational, safety, security and environmental requirements, in terms of the legal and
regulatory framework or impact to reputation” “In analysis the consequence against likelihood the
approach adopted for security risks in this assessment reflects international best practice (HB 167) and is to
take the most probable worst case scenario”
PROJECT CONTEXT – SECURITY RISK MANAGEMENT (SRM)
How does the client currently manage Security Risk?
How do they Identify, Assess, Evaluate and Treat Security related Risk?
Understanding the Security Risk Management Context provides the scope, parameters and plan for undertaking the
proposed Security Risk activities.
SRM – RISK TOLERANCE
Editing the Risk Matrix Edited Matrix Showing Greater Risk Tolerance
SRM - RISK RESPONSE LEVELS
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
VULNERABILITY ASSESSMENT – TARGET ATTRACTIVENESS
VULNERABILITY ASSESSMENT – CONTROL LEVEL EFFECTIVENESS
What are Security Controls?
“Process, Policy, Device or other action that acts to minimise negative risk or enhance positive
opportunities”
AS/NZ4360:2004 Risk Management Standard p 342
SECURITY CONTROL TRIANGLE
Policy & Procedure
Physical &
Manpower Technology
VULNERABILITY ASSESSMENT – BUSINESS RESILIENCE
“Business Resilience, or Post Incident Vulnerability (V2), is the robustness and ability of the asset, facility or system to
withstand attack and / or maintain service in the event of damage or disruption”
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
WHAT IS A CRITICAL ASSET ASSESSMENT?
“The Criticality Assessment attempts to prioritise organisational infrastructure, asset or elements by
relative importance or dependence on that element”
SRMBOK2008. p 154
WHAT ARE CRITICAL ASSETS?
Critical Assets are characterised as:
People Physical Property Information Information &
Communication Technologies (ICT)
HOW CAN WE DEFINE PROJECT ASSETS?
3 Steps:1. Gain an overall understanding of what
the project objectives2. Breakdown the processes involved in
achieving these objectives (Process Mapping)
3. Identify the People, Physical Property, Information and ICT that are needed to support these objectives
ESTABLISHING CRITICALITY
We must consider the impact of the loss of functionality of the asset and the associated impact on the relevant process. Loss of the asset is assessed in terms of: Cessation of critical process Short term recovery capability Serious or prolonged reputation
damage
ESTABLISHING CRITICALITY
Criticality is Assessed as:
Extreme High
SignificantModerate
Low
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
UNDERSTANDING SECURITY RISK AND SECURITY THREAT
Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.
Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.
SECURITY THREAT SOURCE
The Source of a Security Threat is defined as is the
origin at which the Threat emanates be
that a human or non human source
which may be external or internal to the project under
review.
ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
WHAT IS SECURITY RISK ANALYSIS?
Defining the Impact and Likelihood of each relevant Threat against each Critical Asset defines the
Security Risk Level
WHAT IS SECURITY RISK ANALYSIS
A 4 stage process to inter relate the data gathered so far:
Consequence Level Risk Tolerance Risk Response Level Target Attractiveness Level Business Resilience Level Threat Level Critical Asset Level Control Level Effectiveness Level
STEP 1 –DEFINING PRE-INCIDENT VULNERABILITY (V1)
Target Attractiveness
ControlLevel
Effectiveness
Low Medium Significant High Extreme
Unsatisfactory 6 7 8 9 10
Weak 5 6 7 8 9
Satisfactory 4 5 6 7 8
Good 3 4 5 6 7
Excellent 2 3 4 5 6
STEP 2 –DEFINING LIKELIHOOD
Threat Level
Pre Incident Vulnera
bility (V1)
Low Medium Significant High Extreme
Unsatisfactory 6 7 8 9 10
Weak 5 6 7 8 9
Satisfactory 4 5 6 7 8
Good 3 4 5 6 7
Excellent 2 3 4 5 6
STEP 3 –ASSESSING IMPACT
Consequence Level
Business
Resilience
Level
Minimal Minor Moderate MajorCata
strophic
Unsatisfactory 6 7 8 9 10
Weak 5 6 7 8 9
Satisfactory 4 5 6 7 8
Good 3 4 5 6 7
Excellent 2 3 4 5 6
STEP 4 –DEFINING RISK LEVEL
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
EVALUATING RISK
Tolerate the Risk- if, after controls are put in place, the remaining risk is deemed acceptable to the organisation, the risk can be retained. Transfer the Risk - this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc.Terminate the Risk - decide not to proceed with the activity likely to generate the risk.Treat the Risk – through implementation of preventative controls measures, policies & procedures, contingency planning, disaster recovery & business continuity plans
EVALUATING IDENTIFIED SECURITY RISKS
SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M
anagement H
B167En
terp
rise
Risk
Man
agem
ent
ISO
310
00
AS LOW AS REASONABLY PRACTICABLE(ALARP)
SECURITY RISK TREATMENT
Security in Depth Corporate Security Functions
Hierarchy of Controls Swiss Cheese Model
PART 3WHAT IS HAWKSIGHT ?
WHAT IS HAWK SIGHT ?
Hawk Sight is a Security Risk Assessment Calculator. It speeds up the analysis process by automating the
risk analysis methodology, thereby significantly reducing the time required to produce the Security Risk Assessment report.
Used by a trained Security Risk Consultant it will facilitate standardised, ISO 31000 compliant Security Risk Assessments, and ensures continuity in the Security Risk Assessment process, allowing like for like comparison across all Security Risk Assessments, regardless of organisation type or country of operation.
INTERNATIONAL RISK STANDARDS
LOGIN PAGE
Sign in at http://maxwelllucas.digitalpilgrims.co.uk using your designated username and password.
CLIENT VAULT PAGE
SECURITY RISK REGISTER
HAWKSIGHT SIMULTATOR
HAWKSIGHT SIMULTATOR
HAWKSIGHT SIMULTATOR
REPORT WRITE UP
WORD TEMPLATE
PART 4SECURITY THREAT ANALYSIS USING
UNDERSTANDING SECURITY RISK AND SECURITY THREAT
Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.
Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.
SECURITY THREAT SOURCE
The Source of a Security Threat is defined as is the
origin at which the Threat emanates be
that a human or non human source
which may be external or internal to the project under
review.
THREAT SOURCE
Threat sources may be categorised as follows: Military Threats to Security from Other States Security Threats from Non State Actors Economic Threats to Security Criminal Threats to Security Social and Religious Threats to Security Health Threats to Security Natural Threats to Security Environmental Threats to Security Accidentally Occurring Threats to Security
THREAT DRIVER
The motivation of a human source or the non human trigger event for a threat to
occur.
DEFINING THE LEVEL OF THREAT
Human Threat Intent refers to covert, implicit, or expressed
aims, goals, objectives, desires or directions of a human threat source, as identified in historical trend data, similar previous incidents and collected intelligence.
Capability refers to the attributes of a human threat source that enable a human Threat to occur, such as skills and knowledge, access to material and financial resources, time and supporters.
INTENT
Determined Threat Source has acted in the last 2 years Drivers/motivational factors still exist
Expressed Threat Source has not been active in the past 5
years Driver/motivational factors still exist
Little Threat Source has not been active for more than 5
years No known driver or motivational factors exist
CAPABILITY
Extensive Potential protagonist has proven capability and
the means to implement the threat effectively against the asset type.
Moderate Potential protagonist has limited proven capability
and resources to implement the threat effectively against the asset type.
Low Potential protagonist has no proven capability and
no resources to act against the asset.
NATURAL OR NON-HUMAN THREAT
Potential refers to the incidence of a non-human Threat and the circumstantial, climate and geographic factors that can trigger it or increase its propensity to occur, as identified in historical trend data, past events and scientific estimates.
Capacity refers to the ability of a non-human Threat to do harm and the factors that can amplify its damage potential, calculated from similar previous incidents and scientific estimates.
POTENTIAL
Likely Threat Source has been active itself in the last 2 years Conditions still exist that might trigger activity
Possible Threat Source has not been active in the past 5 years Conditions still exist that might trigger activity
Improbable Threat Source has not been active for more than 5
years Conditions do not exist that might trigger activity
CAPACITY
Extensive Source of threat has proven capacity to cause multiple
human fatalities and total disruption of business operations.
Moderate Source of threat has proven capacity to cause multiple
injuries to personnel and significant disruption of business operations.
Low Source of threat has no proven capacity to cause
significant injuries to personnel or significantly affect any business operations.
CALCULATING THREAT LEVEL
Intent/Potential
Little/
Improbable
Expressed/
Probable
Determined/
Likely
Capability/Capacity
Extensive Moderate High Extreme
Moderate Low Significant High
Low Low Moderate Significant
ENTERING THREAT DATA INTO HAWK SIGHT
There are 2 ways to enter Threat Data into your project: Adding/Editing Threats Manually to the
Hawk Sight database Selecting pre entered Threats from the
Hawk Sight database
ENTERING THREAT DATA INTO HAWK SIGHT
THREAT DATA PAGE
ADDING/EDITING THREATS MANUALLY
USING PRE ENTERED THREATS FROM THE DATABASE
THREAT DATA PAGE
THREAT DATA SELECTION