Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT

Published byBlaze Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT"— Presentation transcript:

1 ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
ISACA North Texas 09 Nov. 2017 Don Simmons Acacia Security Management Services, LLC

2 Physical and Logical Security Parallels
Physical Security Defenses Influence Cybersecurity • Cybersecurity arena is dynamic, fast and under constant evolution Every day, some breach or another is announced, the next world-ending vulnerability is discovered or the latest big data analytics solution is released that is going to solve everything – Right! • Parallels between cybersecurity and the more mature and well-understood area of physical security Security risk management reveals typical behaviors that are intrinsic in how we secure ourselves physically, “real-life” security and logically, in the cyber-world. There are many equivalent practices in how we approach Physical and Logical Systems Risk Assessments

3 WHAT ARE YOUR SECURITY GOALS?
A clear statement of the security goals is usually built on answers to questions like the following: • Do I want to correct a problem or reduce a potential risk? • Do my proposed solutions address the needs that I have identified? • Are my solutions consistent with the business culture? • Will the solutions hinder business operations? • Will the solutions enhance security performance guidelines for the business? • Is new technology part of the solution? • Is the new technology consistent with the long-range plans of the business?

4 ASSESSING BUSINESS NEEDS
Physical security must make sense within the context of the business operations. To build a security system that works for any business, the ‘Needs of the Business’ must first be assessed. • What is the general level of risk for this business? • What are the critical events that will stop this business? • What are the products, information, and assets at this site? What specific risks are associated with each of them? • How do people and materials enter and leave? • What are the work schedules?

5 ASSESSING BUSINESS NEEDS (cont.)
A security assessment is the first step in understanding security needs that aligned with the business. A diligent assessment should produce data that informs you about security issues related to people, information, property, products, and the corporation's reputation. An effective security assessment comprehends three fundamental elements of security risk management: Probability, Criticality, and Vulnerability

6 KEY ASPECTS A Physical Security Assessment is custom tailored for each project, but typically includes the following tasks: Risk identification and analysis Threat and vulnerability assessment Review of site and facility security Analysis of crime data including loss history, police calls for service, crime statistics, and crime forecast reports. Review of degree of compliance with recognized CPTED (Crime Prevention Through Environmental Design) principals

7 KEY ASPECTS (Cont.) Review of degree of compliance with security requirements that are specific to the industry. These may include C-TPAT (Customs-Trade Partnership Against Terrorism), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), Joint Commission, and security requirements imposed by regulatory agencies. Review of facility operating procedures Review of physical security systems Review of electronic security systems Review of architectural security Review of security policies and procedures

8 KEY ASPECTS (Cont.) Review of security personnel
Evaluation of present security program and identification of any weaknesses and vulnerabilities Development of recommendations for security improvements Identification of short-term and long-term costs Prioritization of recommendations and development of implementation plan Preparation of written Security Assessment Report

9 PROBABILITY Probability is the likelihood that a security incident will occur, independent of any efforts to avoid the incident. Probability is affected by location and environment, the product, personnel at the site, and other factors that are beyond normal control. Example - if a facility is in a high-density area of a large city, the probability of parking lot incidents and vandalism is much greater than if the facility is in a small rural town. Or, if the business use a proprietary process or have proprietary information that has a high market value, it is more likely to have theft attempts than if the business does not use such a process or possess such information. Each area of a business must be evaluated in terms of the probability that a security incident will occur - specifically in that area. Research and document most frequent incidents that have occurred - building, location, and in the surrounding area or neighborhood.

10 CRITICALITY The criticality of a security incident is the degree to which it affects the ability to do business. An incident with high criticality is one that: • Interrupts business operations; • Has significant operational or legal ramifications; • Impacts or reduces sales; • Erodes the quality of products or services; • Gives the competition a significant advantage; • Causes the loss of substantial revenue; • And/or damages the corporation's reputation

11 VULNERABILITY Vulnerability is a measure of the ability to prevent a security incident. The current security system, controls and other procedures represent the active steps that are in place to mitigate or decrease the vulnerability. Vulnerability changes whenever the environment, operations, personnel, business and/or systems change. Each time a substantive security-related change occurs in an area of the business, there is a need to reconsider that area’s vulnerability.

12 ANALYZING DATA TO ARRIVE AT AN ASSESSMENT OF RISK
The most cost-effective security systems consider all three elements of security concurrently. Overall security risk can be gauged by determining the degree to which the area has high values for probability, criticality, and vulnerability. Concentration of resources on areas that have the greatest degree of security risk. Highest priority given to those areas that have high values for probability, criticality, and vulnerability. High or unacceptable levels of risk dictates that one or more are lowered by implementing security measures and/or controls. Areas with uniformed low values do not warrant security resources that could be better spent in other areas of the business.

Download ppt "ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT"

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Infection Prevention Risk Assessment: A How-to Exercise Carla Parker MSN RN NE BC CIC Infection Preventionist Cabell Huntington Hospital.

Infection Prevention Risk Assessment: A How-to Exercise Carla Parker MSN RN NE BC CIC Infection Preventionist Cabell Huntington Hospital.
National Infrastructure Protection Plan

National Infrastructure Protection Plan
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Risk Assessment Frameworks

Risk Assessment Frameworks
Brian Markham Director, DIT Compliance and Risk Services May 1, 2014

Brian Markham Director, DIT Compliance and Risk Services May 1, 2014
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Tom Cecich, CSP, CIH NC Chapter ASSE March 12, 2015.

Tom Cecich, CSP, CIH NC Chapter ASSE March 12, 2015.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.

Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 | FAX: (703)742-7200 www.systemsandsoftware.org Best.

Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.

Similar presentations

Ads by Google