SR Assignment 2 PDF

Preview

Summary

Security Risk Assignment 2...

Description

Security Risk Assignment 2 Secur i t yRi skAssi gnment2Br eakdown Theabi l i t yt omodelr i s ki sac r i t i cal s ki l l asasecur i t yandi nt el l i gencepr of es si onal .Aneffect i v e model pr ov i dest heabi l i t yt oanal y sedi ffer entt hr eat s ,r i s kands cenar i os ,t obet t eri nf or mt he deci si onmak er . Youar et odev el opasecur i t yr i skmodel ,usi ngy ourr i s kcont ex ts t at ementf r om as sess ment1 aswel last hesuppl i eddat abel ow. I nt hes cenar i o,t hesuppl i eddat ahasbeengat her edt hr oughaf ac i l i t at edgr oupbr ai ns t or mi ng s es si on. Thei nf or mat i ony ouhav eav ai l abl ei nc l udes : 1.Al i stofc r i mest at i s t i cs ,obt ai nedf r om t hepol i ce. 2.Al i stofCr i medes c r i pt i onst hatex pl ai nt het er mi nol ogyus edi nt hepol i cest at i s t i cs . 3.Al i stofr i s ksgener at edbyt hegr oupbr ai ns t or mi ngsess i on. 4.Ri skAnal y si sDat a,wi t hr awr i skdat af r om eachper sonwi t hi nt hegr oup( t hi si showv ar i ous peopl ewi t hi nt heor gani sat i onper cei v et her i s kst heyhav ei dent i fi ed) . 5.As setRegi st er-al i stofsomeoft heor gani s at i on’ sas set s ,i nc l udi ngdesc r i pt i on,age,cur r ent v al ue,r epl acementv al ueandcr i t i cal i t yt oor gani sat i on. 6.Thr eatanal y si st empl at e. Not e: Youar et opr es entanddemonst r at ey oursec ur i t yr i skmodeli ny ourr epor t . Ti ps: -Tosuppor ty ourmode,at t emptt ous eanexi s t i ngandv al i dr i s kmodel asat heor et i cal f oundat i on. -Ri skmodel SSssuc hasHB167cans uppor tcompl exorsi mpl er i skass es s ment s ,y oumust deci dewhaty ouneedt oi nc l udei ny ourr i skmodel ,t ak i ngi nt oacc ounty ourr i skcont ex t s t at ementf r om ass i gnment1. -Youmaymak ey ourownas sumpt i onsasnec ess ar yt osuppor ty ours cenar i o. Assessment Wei ght i ng:30% Wor dl engt h:2, 000wor ds Duedat e:3r dNov ember

Anal ysi ngHDAssi gnment Cov erpage-Companyname

St r uct ur e Cov erPage -NameofBus i ness I nt r oduc t i on -Thei mpor t anceofRi s kManagementPr i nc i pl es -Thef act or si nv ol v edi nRi s kManagementPr i nc i pl es -Defi neSec ur i t yRi s kManagement

Security Risk Assignment 2 -Bedi r ectt hatt hi sr epor ti saboutr i s kmodel l i ngofanor gani sat i on,andment i ont hatHB167i s us ed. Pur pos e -Pr ovi det heor gani sat i onwi t has sess mentofr i s k ,i nt er msofwhi chf ac t or s ,t oal l ow or gani s at i ont omak ebet t erdec i si ons . Sc ope -Toev al uat et hebusi ness ’ st hr eat s ,i nt er msofi nt er nalandext er nal f ac t or s ,t hel i k el i hoodand c ons equenc es . -Cani dent i f yt het hr eatac t or swi t hi n Thr eatAnal y si s-Who,WhenandWhy Cr i t i cal i t yAnal y si s-WhatandWher e Vul ner abi l i t yAnal y s i s-How Di agr am:HB167: 2006Sec ur i t yRi skManagementp. 70 Ri s kModel l i ng -TheHB167: 2006Sec ur i t yRi skmanagementpr i nci pl esandgui del i neswi l lbeappl i edwi t hi n t hi sr epor t .Thes eac ti ngoodac cor dancewi t ht hepr i nc i pl esi nAS/ NZSI SO31000: 2009Ri s k management . Di agr am:Es t abl i shcont ext ,I dent i f yt her i s k s ,as ses st her i sk s ,ev al uat et her i sk s ,st r eatt he r i s k s-I SO31000: 2009 -Di sc us st hes copeagai n,t her epor twi l l i dent i f yr i s kst hr ought hepr ocess esi nt hepr i nc i pl es andgui del i nes ,oft hr eatas ses sment ,c r i t i cal i t yas sess mentandvul ner abi l i t yas sess ment . -Ac ont exti sr equi r edoft hebus i nesst obemor eacc ur at e.-Thec ont extenabl est her epor tt o dev el opt hei nt er nalandext er nal poi nt si ncongr uentwi t ht hebusi nes s .I nc l udeaquot eabout c ont extf r om HB167. -Twopar agr aphcont extoft hebus i nes sf r om as si gnment1. -Tomak et her i skas ses smentpr oc es sr el ev antt ot hecont extoft hebus i nes st heyar er at edi n t er msofl i k el i hoodandconsequenc e( st andar dsaus t r al i a) . Thr eatAss es s ment -Defi ni t i onofat hr eat . -Thet y pesoft hr eat s( geogr aphi cal ,t hr eats our ce,t hr eatt ar get i ng,t hr eatt ype) . -Thi swasdoneby“ TheGr oup”asseeni nAppendi x1. Di agr am:Thr eatSour c eMat r i xf r om dat af r om Appendi x1 Thr eatAnal y si s -Whati sat hr eatas sess ment .Appl ydefi ni t i onsf r om St andar dsAus t r al i a. -St at et hatas sumpt i onsanddat af r om Wes t er nAus t r al i anPol i ceSt at i csonCr i mewi l lbeused andappl i edt oex ami ni ngt hear easof : 1.Pot ent i al Thr eat 2.Met hodswher eThr eat si nt er ac twi t hc r i t i calas set s ,al ongwi t hpr i mar yand s econdar yaffec t s 3.Fi ndi ngt hepr obabi l i t yoft het hr eatoc cur r i ngi nspeci fi ct i mef r amesandl l ocat i onusi ngpas tdat af orf ut ur eev ent s Af t ert hr eat sar ei dent i fi edt heyar er at edagai ns tt hei rel ement s . Thr eat=I nt entxCapabi l i t y I nt ent=Des i r exConfi denc e Capabi l i t y=Res our cesxKnowl edge( Ref ert oAppendi x2) -Fr aud,Bur gl ar yandAr sonf r om t hepr oper t yoffencecat egor yandas saul t sbei nganoffenc e agai nstper soncat egor y . -Scal edes i gned.

Security Risk Assignment 2 >70% =Det er mi ne >40% =Expr es sed di ffer entps y c hol ogi c alchar act er i st i cs Pot ent i al Ri s kSour ceRank i ng Vul ner abi l i t yAnal ys i s Ri s kEval uat i on Rec ommendat i ons Pur pos eoft her epor t Thi sas sess menthasi dent i fied Noex t r emer i skhasbeeni dent i fi edt ot heor gani z at i on,butf ourhi ghr i skt hr eat sar ei dent i fied. Ri s ki saffect edbyt hec r i t i c al i t y ,l i k el i hoodandvul ner abi l i t ywhi chpr oducesar at i ngoft he t hr eat . I nor dert or educ et her at i ngsoft het hr eat s ,par t soft hecr i t i cal l i t y ,l i k el i hoodandvul ner abi l i t y needt obechangedt or educet heov er al lr i skr at i ng. Rec ommendat i oni st hatacos tbenefi tanal y si si sgi v ent oaddr es st hei ss ues . Appendi x es -Dat ai nEx celSpr eadsheet -Appendi x1-“ RawRi skDat a” -Appendi x2-“ As setRegi st er ” -Appendi x3-“ Pol i ceCr i meSt at i st i c s ” -Appendi x4-“ Thr eat ” Ref er ences

Finished copy:

Security Risk Assignment 2 Introduction All organizations are affected by external and internal factors which can determine the certainty of completing objectives along with outcomes of the objectives (Standards Australia, 2009). This is known as risk. Therefore, a critical aspect of an organization is its Risk Management Principles (Standards Australia, 2006). Risk management must be applied to all levels of an organization, including different functions and projects (Standards Australia, 2009). Security Risk Management is a wider fundamental process of Risk Management. Security Risk Management is intertwined with the Risk Management Principles, with a focus on finance, safety, marketing, reputation, and regulatory (Standards Australia, 2009). In order to achieve the organization’s objectives, implementation of fundamental processes, functions and infrastructure are required. Risk Management provides support in decision making for these processes, to ensure they are appropriately applied (Standards Australia, 2009). To aid in business decision making, this report uses risk modelling to asses the risk tolerance of the organization, along with recognizing additional needs. Risk Management includes strategies to protect individuals and organizations from potential losses of infrastructure, assets and people (Dionne, 2013). Purpose The purpose of this report is to supply the organization’s management with assessment and analysis of risk, with respect to threat, vulnerability and criticality. The provided data within tables will aid the organization to make better decision and appropriately manage threats. Scope The scope of this security risk assessment is to evaluate the organization and how it is influenced by internal and external threats such as geopolitical, regulatory, social, community, theft, and sabotage. How these internal and external threats interact with risk will determine the vulnerability and criticality of threats. This report will use threat analysis (who, when and why), criticality analysis (what and where) and vulnerability analysis (how) to aid the organization in its decision making.

HB 167:2006 Security risk management p.70 Risk Modelling SA/SNZ HB89:2013 Risk management handbook equips organizations with methods to better manage risks, and understand them. Risk management is influenced by uncertainty, therefore following a process can better aid decision making. The implementation of logical and systematical methods is risk modelling. As seen in the diagram below, after establishing the context of the organization, identifying the risks through a threat assessment, vulnerability assessment and criticality assessment will allow for them to be assessed through likelihood and consequence, then evaluated based on tolerability and

Security Risk Assignment 2 acceptability. Following, the decision making process allows the organization to treat the risks, with potential outcomes such as avoidance, sharing, exploiting, acceptance and reduction. This framework within HB167:2007 Security risk management is applied to this report.

HB 167:2006 Security risk management p.14 Context The organization is an open-pit iron ore mine located 60km north west of Tom Price in the Pilbara, Australia. It is incredibly large and covers an area of 80,000km^2. Tom Price is a mining town, with a maximum average temperature of 31.3C and a minimum average temperature of 15.6C (Bureau of Meteorology, 2017). The average amount of rainfall per year is also 398.5mm. The facility opened in 2010, at the cost of $1.5bn. The open-pit iron ore site produces 22 million tons per annum (mtpa), however is expanding to 40 mtpa (Mining Technology, 2017). Iron deposits at the mine contain yandicoogina shale, joffre, whaleback shale and dales gorge. This facility follows the HB167 Security Risk Management standards. Threat Assessment A threat is referred to anything that may disrupt the process of achieving objectives, or hinder the achievement of the objective (Standards Australia, 2006). A threat assessment aims to identify a series of potential threats that come to light from the internal and external security environments (Standards, Australia). Events, aggressors, attackers or adversaries can lead to losses in organizational, community or individual assets, therefore they are identified in the threat assessment. These threats are identified in the table below, sourced from their identification in Appendix 1. External Internal Direct Fraud – Stock / Financial Fraud – Stock / Goods Receiving / Goods Dispatch

Security Risk Assignment 2 Burglary – Break & Enter / Office / Stock / Services Assault – Customer / General / On Duty

Indirec t

Loss of IT - Attack Fire – Attack / Arson Flood – Act of God

Theft – Petty Cash / Office / Stock / Services Assault – Spouse / Staff Loss of IT – Network loss / Virus Power Fraud – Stock / Goods Receiving / Goods Dispatch Theft – Petty Cash / Office / Stock / Services Loss of IT – Network loss / Virus Power

Threat Analysis Threat assessment is the identification of the internal and external threats to the organization. This comes from the consolidation of data obtained after establishing the context of the organization, with a detailed focus on areas of concern (Standards Australia, 2006). Using the Western Australian Police Statistics on Crime (see Appendix 2), assumptions can be made using data that will determine: • Potential Threat • Ways that threats interact with assets causing effects • Probability of a threat occurring Threats are identified and rated against their elements: • Threat = Intent x Capability • Intent = Desire x Confidence • Capability = Resources x Knowledge (see Appendix 6)

Analyzing data from the Western Australian Police Statistics on Crime can broken into different sections. Statistics on murder, attempted murder, manslaughter, driving causing death, aggravated and nonaggravated sexual assault, aggravated and non-aggravated assault, assault police officer, threatening behavior, deprivation/liberty, aggravated robbery with and without a firearm, and non-aggravated robbery are separated into one separate category of total offences and clearance rate. Statistics on dwelling and non-dwelling burglary, stealing a motorized vehicle, stealing other vehicle, theft, receiving/illegal use, fraud, arson, graffiti and property damage are separated in another category of property offences, which also includes total offences and clearance rate. Using the data provided, the following scale was determined: • >70% = Determine • >40% = Expressed • 30% of NOPBT/EBITDA8 Loss of asset results in: • Loss of one or more functions • No short term recovery High • Serious reputation loss • Financial loss >10% of NOPBT/EBITDA Loss of asset results in: • Loss of one or more functions Significant • Limited short term recovery • Serious reputation loss • Financial loss >5% of NOPBT/EBITDA Loss of asset results in: • Loss of one or more functions Significant • Limited short term recovery • Serious reputation loss • Financial loss >5% of NOPBT/EBITDA Loss of asset results in: • Loss of one or more functions Significant • Limited short term recovery • Serious reputation loss • Financial loss >5% of NOPBT/EBITDA Loss of asset results in: • End of functions • No short term recovery Extreme

Security Risk Assignment 2 • Serious reputation loss • Financial loss >30% of NOPBT/EBITDA8

Risk Identification By evaluating risks, a risk tolerance can be determined. This process requires the risk to be evaluated against likelihood and consequence (Standards Australia, 2006). Consequence can also refer to the type, such as financial, reputational, safety, people, and community impacts. Likelihood can also refer to how it will be determined, such as the probability and frequency of occurrence (Standards Australia, 2006). The potential threat sources have been identified, and have been measured in the Risk Rating Matrix below, weighing consequence against likelihood. Likelihood is rated between “A” and “E”, (see Appendix 4) and Consequence is rated between level 1 and 5 (see Appendix 5). Risk Rating Matrix Consequence 1 2 3 4 5 Likelihoo d A Medium Significant High Extreme Extreme B Medium Medium Significant High Extreme C Low Medium Significant High High D Low Low Medium Significant High E Low Low Medium Significant Significant

After analyzing the raw data (see Appendix 6), the following potential threat sources were identified. BD CD AJ Ops BB GM CK Mode CEO Office Manage Union Staff Mark Threat Potential Threat Source Manage r Rep Rep -eting Matrix r from Sampl e Group Internal Stock M S M L L S M Financial S H M L L H H Fr Externa Stock L M L L L M L au l Goods L M M L L L L Receiving Goods L H S L S M L Dispatch Internal Petty Cash L M L L L L L Office L L L L L L L Th e Stock M S L L M H M Services M M L M L S M M L L L L L L Externa Break & Bu l Entry rgl Office M M L M L M M ar Stock M M L M L M M Services L S M L L L L

Security Risk Assignment 2

As sa ul Los s of IT

Fir Fl oo

Internal Externa l Internal

Externa l Externa l Externa l

Spouse Staff Customers General On Duty Network Loss Virus Power Attack

S S M M H H

S S S S H H

H S S M S S

S S H H H S

M M S S H S

S S M M S H

S S S M H H

H L M

S M S

H M S

S L M

M L M

H L M

H L M

Arson Electrical Act of God

S S S

S S S

S S S

M M M

M M M

S M M

S S S

From the table above, different people express different risk levels for the same potential threat sources. This can be caused due to different psychological characteristics, as well as different perspectives from different occupations. Personal bias can also affect people determine the effects of risks, either underestimating them or overestimating them (Cochrane Methods, 2017). It is important that a sample of employees from the organization are assessed to understand the potential threat sources and their risk rating based on internal and external threats. Having a large pool of employees assessing the potential threat sources create more accurate and reliable data for the organization to make decisions. Potential Risk Source Ranking Potential Threat Source Descriptor Mode Threat Matrix from Sample Group Fraud Internal Financial High Assault External On duty High Loss of IT Service Internal Network loss, virus High Assault Internal Spouse, staff, customers Significant /Externa l Fire External Arson, electrical Significant Flood External Act of god Significant Fraud Internal Stock Medium Theft Internal Stock, services Medium Burglary External Office, stock Medium Loss of IT Service External Attack Medium Fraud External Stock, Goods Receiving, Goods Dispatch Low Theft Internal Petty cash, office Low Burglary External Break & entry, services Low Loss of IT Service Internal Power Low

Security Risk Assignment 2 Vulnerability Analysis Vulnerability analysis is the process of considering each credible threat against each critical asset (Standards Australia, 2006). This involves determining the potential of an attack being successful, and what elements aid or hinder this process. It also includes the effectiveness of the layers of security in place to inhibit the attack being successful, which includes measuring the critical path of security measures (Standards Australia, 2006).

HB 167:2006 Security risk management p.43 There are multiple factors that can cause a hole in security layers, allowing adversaries to penetrate or attack a facility. Defense in Depth follows a process deterring the attack, detecting the attack, delaying the attack, responding to the attack and recovering from the attack (Coole, Corkill & Woodward, 2012). The assessment of security controls will provide insight into how they act as countermeasures along with their effectiveness. The degree of visibility is another aspect that affects the vulnerability of the facility. This can include any access to insightful information, such as facility blueprints, media coverage, work patterns and daily routines that after been studied can lead to security failures (Standards Australia, 2006). The iconic status of the facility can also affect how effective security measures are, and how likely adversaries are to attempt to gain entry or access to critical assets. For example, the Pentagon has iconic status which affects its ability to determine threats and the likelihood of adversaries attacks. The degree of threat access refers to the real and perceived nature of security measures. The perspective of the adversary is different to security managers of the facility, therefore the threat level can change on their ability to perceive the security measure (Standards Australia, 2006). Collateral exposure is another potential vulnerability that needs to analyzed, it includes the fact that the facility and organization may be in close proximity to potential attractive targets for other adversaries and attacks (Standards Australia, 2006). Interdependency demand refers to the degree that the organization is dependent or relies on other services, which if were affected negatively would have consequences for the security measures of the organization. Examples include security, safety, sustainability, survival, incident response capability and incident recovery capability (Standards Australia, 2006). Finally, the incident management capability refers to the consideration of controls that are needed in unlikely and emergency situations. Examples include emergency planning and response

Security Risk Assignment 2 capability, security planning, business continuity planning, disaster recovery planning, business recovery and resumption planning, and critical incident management capability (Standards Australia, 2006).

HB 167:2006 Security risk management p.62 The assessment data (see Appendix 6) has been analyzed in a vulnerability assess...