SlideShare uma empresa Scribd logo
1 de 30
Kuala Lumpur, June 17, 2008
Booz & Company
                                                  6th Regional Professional
                                                  Security Conference
                                                  17th & 18th June 2008
                                                  Kuala Lumpur, Malaysia




Security Risk Management &
Asset Protection
Better Practices

Presented by Paul Curwell
Learning Objectives

   Understand the basic concepts involved in Security Risk Management and how they can be
   applied to asset protection

   Gain an appreciation of the range of methodologies available

   Understand why and how specific methodologies are used

   Understand the distinction between Security Risk Management activities conducted for systems
   and processes versus organisations

   Understand the relationships between Security Risk Management and Business Continuity
   Management

   Know where to go for further information




                                                      6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                    1
                  SRM and Asset Protection v1.0.ppt
June 17, 2008
Content
Introduction
Basic Principles
Relevance
Case Studies
Additional Resources




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   2
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
Introduction




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   3
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
Today, organisations face a new operating reality affecting the
safety, security and continuity of their business




Source: S. Sidoti, Booz & Company

                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                        4
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
Operational complexities have outpaced most operational risk
management practices




Source: S. Sidoti, Booz & Company

                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                        5
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
The result of these operational complexities, and the speed at
which they develop, can be referred to as the ‘resilience gap’




Source: S. Sidoti, Booz & Company

                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                        6
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
This resilience gap, and the move towards networked operating
models, presents new challenges for OpRisk management
   Operational Risk Management involves numerous
   techniques which address both loss reduction and event
   avoidance
                                                                                                                                  Basel Committee Operational Risk
                                                                                                                                  Basel Committee Operational Risk
   – Operational risks result from inadequate or failed internal                                                                         Loss Event Groups 1
                                                                                                                                         Loss Event Groups 1
     processes, systems, people or from external events
                                                                                                                                  1. Internal Fraud
                                                                                                                                  1. Internal Fraud
   – Examples of operational risks include technology risk,
                                                                                                                                  2. External Fraud
                                                                                                                                  2. External Fraud
     legal risk, security risk and compliance risk
                                                                                                                                  3. Employment practices and
                                                                                                                                  3. Employment practices and
                                                                                                                                     workplace safety
                                                                                                                                      workplace safety
   Operational Risk is characterised by unpredictable,
                                                                                                                                  4. Clients, products and business
   seemingly random events.                                                                                                       4. Clients, products and business
                                                                                                                                     services
                                                                                                                                      services
   – This is because operational risks range from extremely
                                                                                                                                  5. Damage to physical assets
                                                                                                                                  5. Damage to physical assets
     common, to extremely rare, such as 1:100 year and
                                                                                                                                  6. Business disruption and system
                                                                                                                                  6. Business disruption and system
     1:1,000 year events
                                                                                                                                     failures
                                                                                                                                      failures
   – For these types of risk, it is quite plausible that no data                                                                  7. Execution, delivery and
                                                                                                                                  7. Execution, delivery and
     exists to calculate their magnitude or impact                                                                                   management process
                                                                                                                                      management process



 1 Alvarez, G. (2002) “Operational Risk Event Classification”


                                                                    6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                                      7
                                SRM and Asset Protection v1.0.ppt
June 17, 2008
Of particular concern in operational risk management is the
management of risks categorised as high impact, low probability
                                                                                                                         Figure 1: Four categories of
       Because of their scarcity, high impact, low
                                                                                                                          ‘Operational Risk Event”
       probability operational risks typically lack data on
       likelihood, detailed insights as to how they may
       develop, and what the implications may be

       Low impact, low probability and low impact, high
                                                                                                                         High Impact         High Impact
       probability risks are typically more manageable                                                                  Low Probability    High Probability
       because of the availability of data, enabling
       more informed risk-based decision making
                                                                                               Impact



                                                                                                                          Low Impact          Low Impact
                                                                                                                        Low Probability
                                                                                                                                            High Probability




                                                                                                                                   Probability




                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                               8
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
Basic Principles
Definitions
Steps in Security Risk Management
Treating Security Risks




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   9
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
Security Risk Management Definitions

   Risk: The chance of something happening that will have an impact upon objectives. Measured in
   terms of likelihood and consequence.

   Vulnerability: Any weakness that can be exploited by an aggressor to make an asset susceptible
   to change.

   Threat: Anything that has the potential to prevent or hinder the achievement of objectives or
   disrupt the processes that support them; a source of, or potential for harm to occur; a source of
   risk.

   Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss,
   injury, disadvantage or gain. There may be a range of possible outcomes associated with an
   event.

   Likelihood: Used as a general description of chance, probability or frequency of an event
   occurring.


Source: HB167:2006 ‘Security Risk Management’, Standards Australia


                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                        10
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 1 in Security Risk Management process is developing a
comprehensive understanding of the business and its environment
                                                                                                                       Establish Context
   The objective of establishing the context is to
   develop a comprehensive understanding of the                                                      Understand the organisational structure
   business and its drivers
                                                                                                     What are the key earnings drivers?
   – This is critical to the identification, analysis,
                                                                                                     – Does a large proportion of the business
     evaluation and treatment of risks                                                                 revenue result from a small number of
                                                                                                       business activities?
   Think across the business, considering:
                                                                                                     Understand, and preferably map process
   – Physical interactions (i.e. business to
                                                                                                     flows within the organisation
     business, business to customer etc)
   – Interactions which occur via an ICT interface                                                   Identify and map critical interdependencies

                                                                                                     Understand the organisations strategic and
                                                                                                     operational objectives

                                                                                                     Understand, and preferably map, the
                                                                                                     organisations external networks and
                                                                                                     interdependencies
                                                                                                     – This includes supply and distribution chains


                                                         6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                      11
                     SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 2, Risk Identification, aims to generate comprehensive
insights into risks facing the organisation
   How could the risk happen?                                                                                       Risk Identification Methods include:
   – Sources of risk
                                                                                                                  Checklists
   Why could the risk happen?
   – Causes of risk                                                                                               Professional Judgement
   – Presence or absence of risk treatments or controls designed to
     mitigate the risk                                                                                            Flowcharts

   What could happen and what might the associated                                                                Brainstorming
   consequences be?
                                                                                                                  Systems Analysis
   Where could the risk happen?
   – Physical location                                                                                            Scenario Analysis

   When could the risk happen?                                                                                    Groups of experts
   – E.g. can the risk only occur at specific times?
                                                                                                                  Modelling and simulation
   Who could / must be involved in the specific risk event?
                                                                                                                  Fault tree analysis
   – E.g. individuals, business units, etc

                                                                                                                  Event tree analysis


                                                          6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                           12
                      SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 3: Risk Analysis uses available information to determine an
event’s probability and the magnitude of its consequences (1/2)
   Security Risk Analysis starts with an evaluation
   of a threat against a specific vulnerability. This
   evaluation is informed by two activities:                                                               A Threat Assessment is concerned
                                                                                                           with identifying those events,
   – Threat Assessment; and,
                                                                                                           aggressors, attackers or adversaries
   – Vulnerability Assessment                                                                              that can cause losses to organisational,
                                                                                                           community or individual assets1.
   The approach used to perform a risk analysis is
   dependent upon the type of activity concerned.
   – Security Risk Assessments on organisations
     typically utilise approaches which have a                                                             A Vulnerability Assessment
     basis in security intelligence                                                                        considers how each of the credible
                                                                                                           threats (identified in the Threat
   – Security Risk Assessments on products or                                                              Assessment) can be realised against
     services (e.g. credit cards, pharmaceuticals,                                                         each critical asset2.
     welfare payments) typically utilise systems
     and processes which lend themselves to
     system or process engineering risk
     methodologies                                                                                        1
                                                                                                              HB167:2006 Security Risk Management
                                                                                                          2
                                                                                                              Ibid


                                                        6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                      13
                    SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 3: Risk Analysis uses available information to determine an
event’s probability and the magnitude of its consequences (2/2)
   There are numerous risk assessment
                                                                                                        Selecting the Risk Analysis Methodology
   methodologies available.
   – The analyst must determine which                                                                      Considerations for deciding which risk
     methodology is most appropriate                                                                       assessment methodology to use can
   – The most appropriate model could be a hybrid                                                          include:
     which combines elements from different                                                                – Whether an organisation, process or
     methodologies                                                                                           system is under evaluation
                                                                                                           – Desired outcomes or objectives
   Remember that no two risk assessment                                                                    – Analyst familiarity with the techniques
   activities will be identical.
                                                                                                           – Regulatory requirements
   – The most important consideration when                                                                 – Existing practices within the organisation
     designing and/or selecting a risk assessment
                                                                                                           – Cost-benefit analysis
     methodology is being able to justify the
                                                                                                           – Availability of data (i.e. qualitative versus
     approach
                                                                                                             quantitative)
   – The approach must be reasonable and
                                                                                                           – Available timeframe to conduct the
     sufficiently robust to address potential legal                                                          assessment activity
     issues, such as negligence and liability, in the
                                                                                                           – Technical depth of the topic concerned
     event that a risk event arises


                                                       6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                             14
                   SRM and Asset Protection v1.0.ppt
June 17, 2008
The Security Risk Management ‘equation’ illustrates how each
 component combines to generate a risk, which is then treated1
                                                                                                    Risk                                     Residual
                                                                                                    Risk                                     Residual
                                                               Risk                  -                                          =
                                                               Risk                              Treatment                                    Risk
                                                                                                 Treatment                                     Risk




                               Likelihood                                                  Consequence
                               Likelihood                                                  Consequence
                                                                    x
                                                                                                                               Criticality
                                                                                                                               Assessment

                                     +
                    Probability               Exposure
                    Probability               Exposure

                                                                        Threat                                               Vulnerability
                                                                                                      x
                                                                        Threat                                               Vulnerability




                                                                           +
                                             Intent                                                       Capability
                                             Intent                                                       Capability




                                               +                                                +                              +
                             Desire                  Expectations         Knowledge                     Resources                     Skills
                             Desire                  Expectations         Knowledge                     Resources                     Skills

     1
         HB167:2006 ‘Security Risk Management’, Standards Australia

                                                               6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                        15
                          SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 4: Risk analysis concludes with each risk being rated so that
decisions can be made about risk treatment priorities

   The purpose of risk evaluation is to
   group risks into three broad categories:
   – Broadly Acceptable
   – Tolerable (As Low As Reasonably
     Practicable)
   – Intolerable (i.e. catastrophic risks)

   The ALARP framework (right) can help
   with deciding which risks require
   treatment, which can be ignored (left
   untreated) and to what extent.




                                                                                       Source: Security Risk Management Body of Knowledge


                                                        6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                            16
                    SRM and Asset Protection v1.0.ppt
June 17, 2008
Example: A business’ annual revenue projections for the year are
     $850K, and it has approximately $2.2m in owners equity1
                                                                                                                                                                          IIlllu
                                                                                                                                                                               ust
                                                                                                                                                                                 strra
                                                                                                                                                                                     attiiv
                                                                                                                                                                                          vee


                                                                                         • How many low impact losses might a company be able to
                                                                                           tolerate?
                                                                                         • What impact might a serious of loss event have on the
                                                                                           business’ operating position for the next financial year?
     Likelihood




                           Risk Acceptance
                           and Financing:                                                                                                 Risk events resulting in losses over $3m
                           Risks up to $850K                                                                                              cause a catastrophic loss (cannot be
                           can be retained (i.e.                                                                                          absorbed by firm)
                                                          Risk Acceptance and Financing:
                           not transferred;
                                                          Risks resulting in losses over $850K,
                           financed
                                                          but under $2.2m, can be retained (losses can be
                           through earnings)
                                                          absorbed by Capital)
                  0

                                                                                                                                                                                     $4.5m
                      $0                                                                               $2.25m
                                      $750K                              $1.5m                                                             $3m               $3.75m

                                                                      Total losses over a one year period (consequence)
1
    Adapted from Bank of International Settlements (2003). “Operational Risk Transfer across the Financial Sectors”

                                                                            6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                                                                17
                                  SRM and Asset Protection v1.0.ppt
June 17, 2008
Step 5: Once an acceptable level of risk for the organisation has
been determined, four options are available to treat risk
                                                                                                    Risk Reduction: Optimum level of resourcing
     Ultimately, the cost of security measures used to
                                                                                                means balancing Cost of Security against Cost of Loss1
     manage risk exposure should not exceed the cost of
     the loss resulting from an event, or combination of
     critical events
                                                                                                                                                 Cost of security
                                                                             $

     Reduce the risk:
     – Introduce controls to reduce the consequence or
       likelihood of the risk
                                                                                                                           Optimum level
     Avoid the risk:                                                                                                                       x
                                                                                                                           of security
                                                                                                                           resourcing
     – Cease or change the activities which create the
       exposure to risk

     Share the risk:
     – Transfer part of the risk to a 3rd party, such as an
       insurer
                                                                                                                                                  Cost of loss
     Accept the risk
                                                                                                                                               Time
                                                                                            1
                                                                                                Source: Protection of Assets Manual – Security Vulnerability


                                                           6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                               18
                       SRM and Asset Protection v1.0.ppt
June 17, 2008
Relevance




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   19
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
In our increasingly complex and interconnected world, security, and
by necessity security risk management, has never been so important

  The dynamic nature of criminal activity poses significant challenges to both private industry and Law
  Enforcement in terms of keeping pace with change.
   – Threats and vulnerabilities are a product of our global environment - social, political, economic,
     cultural and technological

  Emerging technologies typically have a radical impact on our environment.
   – They introduce additional complexity, making it hard to identify and manage vulnerabilities.
   – They provide new avenues for criminals to exploit, and typically present a low risk, high reward
     opportunity due to delayed detection and response.

  Many organizations fail to integrate security elements into new product development teams, meaning
  security is typically ‘added on’ rather than integrated into initial design concepts.
   – This approach typically increases the cost of implementing security whilst decreasing its
     effectiveness
   – This approach can also expose the organisation to unnecessary reputational risk




                                                        6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                      20
                    SRM and Asset Protection v1.0.ppt
June 17, 2008
Security risks rapidly translate into catastrophic business
continuity risks, threatening an organisation’s future viability
   Organisations are increasingly becoming
                                                                                                        Security and Business Continuity Risks1
   interlinked, so one organisation’s vulnerability
   flows on to others in the value chain.                                                                                                            IL
                                                                                                                                                    LU
                                                                                                                                                      ST
   – Many organizations fail to embed security risk                                                                                                     RA
      management approaches across their                                                                             Incident                  Losses      TI
                                                                                                                                                              VE
      business (horizontally and vertically) and                                                        1982 - Johnson & Johnson           $150m
      throughout the supply chain.                                                                      – Product tampering (Tylenol I)
   – Where security risk management approaches                                                          1986 - Johnson & Johnson           $150m
      are implemented, there are often inconsistent                                                     – Product tampering (Tylenol II)
      levels of protection                                                                              1986 - Sandoz                      $85m
                                                                                                        – Fire and Pollution
   Factors such as increased technological                                                              1988 - Norco                       $706m
                                                                                                        – Explosion and fire
   innovation, competition, consumer demand,
                                                                                                      1988 - Pan Am                        $652m
   outsourcing and offshoring help accelerate the
                                                                                                         –Terrorism
   speed of business, impacting upon the
                                                                                                      1992 - Commercial Union              $2,170m
   timeframe companies have to identify and                                                              –Terrorism
   manage security risks

                                                                                                  1
                                                                                                   Knight and Pretty (2002). “Impact of Catastrophes on
                                                                                                  Shareholder Value”, Sedgwick Oxford.

                                                       6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                             21
                   SRM and Asset Protection v1.0.ppt
June 17, 2008
Case Studies
Case Study 1: Security Risk in Electronic Banking
Case Study 2: Security Risk Management in a Biotech Company
Case Study 3: Strategic Security Risk Management in Banking




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   22
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
Case Study: Security Risk in Electronic Banking
   “Money Mules” are intermediaries, working between criminals who obtain funds illegitimately from
   bank customers (victims). Money mules are an essential element in the criminal transfer of money,
   including money laundering, with respect to the proceeds of online banking crime.



   Money mules are typically recruited through                                                Using analytical and GIS mapping
   seemingly legitimate employment                                                            techniques, we profiled the typical ‘mule’ in
   opportunities. People typically work as                                                    Australia. These profiles could then be
   money mules for secondary employment.                                                      integrated into fraud detection systems,
   Characteristically, one mule will recruit                                                  providing additional monitoring for ‘high risk’
   others from within their social network.                                                   individuals (potential mules).

   Mules must open bank accounts in their
   country of origin to transfer stolen funds to
   overseas criminal syndicates.                                                          Key Consideration:

   Money mules are a critical enabler as they                                                 Approaches to Security Risk Management
   are required to perpetrate online banking                                                  should not be limited to published standards.
   crimes across international borders.                                                       Often, complex risks cannot be addressed
                                                                                              through ‘normal’ approaches.

                                                        6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                23
                    SRM and Asset Protection v1.0.ppt
June 17, 2008
Case Study: Security Risk Management in a Biotech Company
   As knowledge-creating businesses, the majority of assets in a biotech company are intangible and
   therefore difficult to identify and protect. Many biotechnology companies are heavily engaged in
   R&D and also engage extensively with third parties through activities such as Joint Ventures.



   A biotechnology company had entered into a                                                Research documentation has a significant
   joint venture with a vendor to commence                                                   impact on the ability to obtain a patent,
   trials on a new diagnostic test, with a view to                                           which is the best way of recovering these
   taking the diagnostic to market.                                                          types of investments on R&D. This
                                                                                             precluded the biotech from commercialising
   Recognising the value of the potential                                                    the diagnostic, pending a court hearing.
   opportunity, the vendor made a lucrative
   offer to hire the research team, unbeknownst
   to the research team’s employer.
                                                                                         Key Consideration:
   In the absence of any controls, the research
   team only partially documented their                                                      Security risks are often industry, and
   research outcomes. Less than three weeks                                                  organisation specific. Unless identified early,
   after resigning, the research team had filed                                              potentially catastrophic risks can easily be
   three separate patent applications.                                                       overlooked.

                                                       6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                               24
                   SRM and Asset Protection v1.0.ppt
June 17, 2008
Case Study: Quantifying Strategic Security Risk in Banking
   Financial Institutions, their customers and merchants represent lucrative targets for criminals.
   Conversely, law enforcement is typically required to provide a response to attacks against banks
   with little forewarning and inadequate time to understand the complex systems and environment.



   Australia’s banks and law enforcement                                                     By applying strategic intelligence techniques
   agencies wanted to identified potential global                                            to a selection of key data indicators and
   technology-enabled financial crime [TEFC]                                                 using a scored and weighted algorithm, we
   (e.g. online banking fraud) hotspots.                                                     were able to quantitatively rank every
                                                                                             country in the world with respect to its TEFC
   Early warning of potential high-risk countries                                            risk status.
   would enable the implementation of more
   stringent controls around banking platforms.
   This information could also be used by law
   enforcement with respect to international                                             Key Consideration:
   cooperation and training activities, especially
   in developing countries.                                                                  Common security risk management
                                                                                             methodologies are not always suitable.
   No previous attempts had been made to                                                     Innovative or hybrid approaches may be
   rank TEFC security risks in this manner.                                                  utilised provided they are defensible.

                                                       6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                             25
                   SRM and Asset Protection v1.0.ppt
June 17, 2008
Additional Resources
References
Sample Reports




                                                     6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                   26
                 SRM and Asset Protection v1.0.ppt
June 17, 2008
Publicly available Security Risk Management resources include
standards, manuals, handbooks and other useful references
   Standards
   – AS/NZS 4360:2004 Risk Management
   – BS7799 Information Security Management (ISO17799 and ISO27001)
   – Malaysian Standard ICS 03.100 Business Continuity Management
   – ISO/DIS 31000: Risk Management – Principles and guidelines on implementation (DRAFT)

   Manuals, Handbooks and Guidelines
   – Standards Australia - HB167:2006 Security Risk Management
   – RMIA - Security Risk Management Body of Knowledge
   – ASIS International Protection of Assets Manual
   – US Coast Guard - Risk Based Decisions Manual (2nd Edition)
   – ASIS International - General Guideline for Security Risk Assessment

   Books
   – Risk Analysis and the Security Survey (3rd Edition)


                                                       6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                     27
                   SRM and Asset Protection v1.0.ppt
June 17, 2008
Numerous examples of Security Risk Management activities are
publicly available which can be used to tailor your approach
                                                                                                                    IL
                                                                                                                         LU
   US Department of Energy - Vulnerability Assessment Methodology                                                             ST
                                                                                                                                   RA
                                                                                                                                        TI
                                                                                                                                             VE
   US Department of Homeland Security - Vulnerability Assessment Methodologies Report 2003

   BASF Security Vulnerability Assessment (SVA) Methodology & Enhanced Security
   Implementation Management

   US Critical Infrastructure Assurance Office - Vulnerability Assessment Framework (1998)

   UK Serious Organised Crime Agency - Threat Assessment of Serious / Organised Crime 2006/07

   EU Organised Crime Threat Assessment 2007




                                                      6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                                                  28
                  SRM and Asset Protection v1.0.ppt
June 17, 2008
Thank you for your participation.

Questions?


                                                               Paul Curwell




                                               Booz & Company (Australia) Ltd.
                                                         Level 7, 12 Moore St
                                                      Canberra City ACT 2601
                                                                     Australia
                                                        Tel +61 2 6279 1966
                                                        Mob +61 413 593 074
                                                        Fax +61 2 6279 1990
                                                      Paul.Curwell@booz.com




                                                         6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
                                                                                                                       29
                 SRM and Asset Protection v1.0.ppt
June 17, 2008

Mais conteúdo relacionado

Mais procurados

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and managementTanmoy Sinha
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
بحث عن شهادة CCNP Data Center
بحث عن شهادة CCNP Data Centerبحث عن شهادة CCNP Data Center
بحث عن شهادة CCNP Data Centermohammedbineid
 
Shipping Lithium Batteries by Ground and Air
Shipping Lithium Batteries by Ground and AirShipping Lithium Batteries by Ground and Air
Shipping Lithium Batteries by Ground and AirTriumvirate Environmental
 
Why risk management services are vital to the oil and gas industry
Why risk management services are vital to the oil and gas industryWhy risk management services are vital to the oil and gas industry
Why risk management services are vital to the oil and gas industryLloyd's Register Energy
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
We've been hacked! Now, what's the BCP?
We've been hacked! Now, what's the BCP?We've been hacked! Now, what's the BCP?
We've been hacked! Now, what's the BCP?PECB
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIABCM Institute
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Genpact Ltd
 
Shields Up Presentation.pdf
Shields Up Presentation.pdfShields Up Presentation.pdf
Shields Up Presentation.pdfPMIUKChapter
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 

Mais procurados (20)

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
 
Incident Response
Incident Response Incident Response
Incident Response
 
بحث عن شهادة CCNP Data Center
بحث عن شهادة CCNP Data Centerبحث عن شهادة CCNP Data Center
بحث عن شهادة CCNP Data Center
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101  NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Risk and Business Continuity Management
Risk and Business Continuity ManagementRisk and Business Continuity Management
Risk and Business Continuity Management
 
Shipping Lithium Batteries by Ground and Air
Shipping Lithium Batteries by Ground and AirShipping Lithium Batteries by Ground and Air
Shipping Lithium Batteries by Ground and Air
 
Chemical safety
Chemical safety Chemical safety
Chemical safety
 
Why risk management services are vital to the oil and gas industry
Why risk management services are vital to the oil and gas industryWhy risk management services are vital to the oil and gas industry
Why risk management services are vital to the oil and gas industry
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
We've been hacked! Now, what's the BCP?
We've been hacked! Now, what's the BCP?We've been hacked! Now, what's the BCP?
We've been hacked! Now, what's the BCP?
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA02 Practical Strategies of Conducting BIA
02 Practical Strategies of Conducting BIA
 
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
Continuous Transaction Monitoring Detect and analyze anomalous transactions t...
 
Shields Up Presentation.pdf
Shields Up Presentation.pdfShields Up Presentation.pdf
Shields Up Presentation.pdf
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 

Destaque

Professional ethics how to recognize and reduce risk chris bauer
Professional ethics how to recognize and reduce risk chris bauerProfessional ethics how to recognize and reduce risk chris bauer
Professional ethics how to recognize and reduce risk chris bauerCase IQ
 
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...Boni
 
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMO
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMOVisibleThread User Experience Within Our ISO 20K Certified Air Force PMO
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMOVisibleThread
 
Booz Allen Hamilton's 100-Year Timeline
Booz Allen Hamilton's 100-Year TimelineBooz Allen Hamilton's 100-Year Timeline
Booz Allen Hamilton's 100-Year TimelineBooz Allen Hamilton
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Vic Winkler
 
Booz - Allen & Hamilton "Vision 2000"
Booz - Allen & Hamilton "Vision 2000"Booz - Allen & Hamilton "Vision 2000"
Booz - Allen & Hamilton "Vision 2000"TugasMOGkita
 
Booz & co campaigns to capabilities-social-media-and-marketing-2011
Booz & co campaigns to capabilities-social-media-and-marketing-2011Booz & co campaigns to capabilities-social-media-and-marketing-2011
Booz & co campaigns to capabilities-social-media-and-marketing-2011Adam Lewis
 
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...Dmitry Tseitlin
 
Jon_Katzenbach_Amplify11
Jon_Katzenbach_Amplify11Jon_Katzenbach_Amplify11
Jon_Katzenbach_Amplify11AmplifyFest
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton
 
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)Sarah Weise
 
Webinar: Driving Innovation Across an Enterprise with Booz Allen Hamilton
Webinar: Driving Innovation Across an Enterprise with Booz Allen HamiltonWebinar: Driving Innovation Across an Enterprise with Booz Allen Hamilton
Webinar: Driving Innovation Across an Enterprise with Booz Allen HamiltonBadgeville, Inc.
 
Performance Driven Architecture V2 August 2010
Performance Driven Architecture   V2 August 2010Performance Driven Architecture   V2 August 2010
Performance Driven Architecture V2 August 2010dfnewman
 
Intro To Thought Leadership V5
Intro To Thought Leadership V5Intro To Thought Leadership V5
Intro To Thought Leadership V5Theodore Kinni
 
Social Media strategy - the rise of social apponomics
Social Media strategy - the rise of social apponomicsSocial Media strategy - the rise of social apponomics
Social Media strategy - the rise of social apponomicsTamara Obradov
 
2721 engineering to consulting booz allen hamilton
2721 engineering to consulting  booz allen hamilton2721 engineering to consulting  booz allen hamilton
2721 engineering to consulting booz allen hamiltonCareer Communications Group
 
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011Private Investment Opportunities In Education Booz And Company Bfe Mena 2011
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011espie77
 

Destaque (20)

Professional ethics how to recognize and reduce risk chris bauer
Professional ethics how to recognize and reduce risk chris bauerProfessional ethics how to recognize and reduce risk chris bauer
Professional ethics how to recognize and reduce risk chris bauer
 
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...
2008 05 - booz allen hamilton - gsma congress - 2-pay-buy-mobile ecosystem – ...
 
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMO
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMOVisibleThread User Experience Within Our ISO 20K Certified Air Force PMO
VisibleThread User Experience Within Our ISO 20K Certified Air Force PMO
 
Booz Allen Hamilton's 100-Year Timeline
Booz Allen Hamilton's 100-Year TimelineBooz Allen Hamilton's 100-Year Timeline
Booz Allen Hamilton's 100-Year Timeline
 
Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")Cloud Security ("securing the cloud")
Cloud Security ("securing the cloud")
 
Booz - Allen & Hamilton "Vision 2000"
Booz - Allen & Hamilton "Vision 2000"Booz - Allen & Hamilton "Vision 2000"
Booz - Allen & Hamilton "Vision 2000"
 
Booz & co campaigns to capabilities-social-media-and-marketing-2011
Booz & co campaigns to capabilities-social-media-and-marketing-2011Booz & co campaigns to capabilities-social-media-and-marketing-2011
Booz & co campaigns to capabilities-social-media-and-marketing-2011
 
LQB Busniess plan
LQB Busniess planLQB Busniess plan
LQB Busniess plan
 
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...
Booz co 2013-global-innovation-1000-study-navigating-the-digital-future_fact-...
 
Jon_Katzenbach_Amplify11
Jon_Katzenbach_Amplify11Jon_Katzenbach_Amplify11
Jon_Katzenbach_Amplify11
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
 
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)
Express Usability: Conduct Usability in 40 Hours or Less (Sarah Weise)
 
Webinar: Driving Innovation Across an Enterprise with Booz Allen Hamilton
Webinar: Driving Innovation Across an Enterprise with Booz Allen HamiltonWebinar: Driving Innovation Across an Enterprise with Booz Allen Hamilton
Webinar: Driving Innovation Across an Enterprise with Booz Allen Hamilton
 
Booz&co
Booz&coBooz&co
Booz&co
 
Performance Driven Architecture V2 August 2010
Performance Driven Architecture   V2 August 2010Performance Driven Architecture   V2 August 2010
Performance Driven Architecture V2 August 2010
 
Intro To Thought Leadership V5
Intro To Thought Leadership V5Intro To Thought Leadership V5
Intro To Thought Leadership V5
 
Military Spouse Career Roadmap
Military Spouse Career Roadmap Military Spouse Career Roadmap
Military Spouse Career Roadmap
 
Social Media strategy - the rise of social apponomics
Social Media strategy - the rise of social apponomicsSocial Media strategy - the rise of social apponomics
Social Media strategy - the rise of social apponomics
 
2721 engineering to consulting booz allen hamilton
2721 engineering to consulting  booz allen hamilton2721 engineering to consulting  booz allen hamilton
2721 engineering to consulting booz allen hamilton
 
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011Private Investment Opportunities In Education Booz And Company Bfe Mena 2011
Private Investment Opportunities In Education Booz And Company Bfe Mena 2011
 

Semelhante a Srm And Asset Protection V1.0

Security Patterns How To Make Security Arch Easy To Consume
Security Patterns   How To Make Security Arch Easy To ConsumeSecurity Patterns   How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Assocham conf grc sept 13
Assocham conf  grc  sept 13Assocham conf  grc  sept 13
Assocham conf grc sept 13subramanian K
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Supply Chain Services - Business Risk & Management
Supply Chain Services - Business Risk & ManagementSupply Chain Services - Business Risk & Management
Supply Chain Services - Business Risk & ManagementAndrew Styles
 
A brief overview of operational risk
A brief overview of operational riskA brief overview of operational risk
A brief overview of operational riskDiane Christina
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical ReviewISA Interchange
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 

Semelhante a Srm And Asset Protection V1.0 (20)

Security Patterns How To Make Security Arch Easy To Consume
Security Patterns   How To Make Security Arch Easy To ConsumeSecurity Patterns   How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
Assocham conf grc sept 13
Assocham conf  grc  sept 13Assocham conf  grc  sept 13
Assocham conf grc sept 13
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Supply Chain Services - Business Risk & Management
Supply Chain Services - Business Risk & ManagementSupply Chain Services - Business Risk & Management
Supply Chain Services - Business Risk & Management
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
A brief overview of operational risk
A brief overview of operational riskA brief overview of operational risk
A brief overview of operational risk
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessment
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Security Certification - Critical Review
Security Certification - Critical ReviewSecurity Certification - Critical Review
Security Certification - Critical Review
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo Risk Management
Bpo Risk ManagementBpo Risk Management
Bpo Risk Management
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 

Último

NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursKaiNexus
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 

Último (20)

NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, Ours
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 

Srm And Asset Protection V1.0

  • 1. Kuala Lumpur, June 17, 2008 Booz & Company 6th Regional Professional Security Conference 17th & 18th June 2008 Kuala Lumpur, Malaysia Security Risk Management & Asset Protection Better Practices Presented by Paul Curwell
  • 2. Learning Objectives Understand the basic concepts involved in Security Risk Management and how they can be applied to asset protection Gain an appreciation of the range of methodologies available Understand why and how specific methodologies are used Understand the distinction between Security Risk Management activities conducted for systems and processes versus organisations Understand the relationships between Security Risk Management and Business Continuity Management Know where to go for further information 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 1 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 3. Content Introduction Basic Principles Relevance Case Studies Additional Resources 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 2 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 4. Introduction 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 3 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 5. Today, organisations face a new operating reality affecting the safety, security and continuity of their business Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 4 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 6. Operational complexities have outpaced most operational risk management practices Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 5 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 7. The result of these operational complexities, and the speed at which they develop, can be referred to as the ‘resilience gap’ Source: S. Sidoti, Booz & Company 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 6 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 8. This resilience gap, and the move towards networked operating models, presents new challenges for OpRisk management Operational Risk Management involves numerous techniques which address both loss reduction and event avoidance Basel Committee Operational Risk Basel Committee Operational Risk – Operational risks result from inadequate or failed internal Loss Event Groups 1 Loss Event Groups 1 processes, systems, people or from external events 1. Internal Fraud 1. Internal Fraud – Examples of operational risks include technology risk, 2. External Fraud 2. External Fraud legal risk, security risk and compliance risk 3. Employment practices and 3. Employment practices and workplace safety workplace safety Operational Risk is characterised by unpredictable, 4. Clients, products and business seemingly random events. 4. Clients, products and business services services – This is because operational risks range from extremely 5. Damage to physical assets 5. Damage to physical assets common, to extremely rare, such as 1:100 year and 6. Business disruption and system 6. Business disruption and system 1:1,000 year events failures failures – For these types of risk, it is quite plausible that no data 7. Execution, delivery and 7. Execution, delivery and exists to calculate their magnitude or impact management process management process 1 Alvarez, G. (2002) “Operational Risk Event Classification” 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 7 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 9. Of particular concern in operational risk management is the management of risks categorised as high impact, low probability Figure 1: Four categories of Because of their scarcity, high impact, low ‘Operational Risk Event” probability operational risks typically lack data on likelihood, detailed insights as to how they may develop, and what the implications may be Low impact, low probability and low impact, high High Impact High Impact probability risks are typically more manageable Low Probability High Probability because of the availability of data, enabling more informed risk-based decision making Impact Low Impact Low Impact Low Probability High Probability Probability 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 8 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 10. Basic Principles Definitions Steps in Security Risk Management Treating Security Risks 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 9 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 11. Security Risk Management Definitions Risk: The chance of something happening that will have an impact upon objectives. Measured in terms of likelihood and consequence. Vulnerability: Any weakness that can be exploited by an aggressor to make an asset susceptible to change. Threat: Anything that has the potential to prevent or hinder the achievement of objectives or disrupt the processes that support them; a source of, or potential for harm to occur; a source of risk. Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event. Likelihood: Used as a general description of chance, probability or frequency of an event occurring. Source: HB167:2006 ‘Security Risk Management’, Standards Australia 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 10 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 12. Step 1 in Security Risk Management process is developing a comprehensive understanding of the business and its environment Establish Context The objective of establishing the context is to develop a comprehensive understanding of the Understand the organisational structure business and its drivers What are the key earnings drivers? – This is critical to the identification, analysis, – Does a large proportion of the business evaluation and treatment of risks revenue result from a small number of business activities? Think across the business, considering: Understand, and preferably map process – Physical interactions (i.e. business to flows within the organisation business, business to customer etc) – Interactions which occur via an ICT interface Identify and map critical interdependencies Understand the organisations strategic and operational objectives Understand, and preferably map, the organisations external networks and interdependencies – This includes supply and distribution chains 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 11 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 13. Step 2, Risk Identification, aims to generate comprehensive insights into risks facing the organisation How could the risk happen? Risk Identification Methods include: – Sources of risk Checklists Why could the risk happen? – Causes of risk Professional Judgement – Presence or absence of risk treatments or controls designed to mitigate the risk Flowcharts What could happen and what might the associated Brainstorming consequences be? Systems Analysis Where could the risk happen? – Physical location Scenario Analysis When could the risk happen? Groups of experts – E.g. can the risk only occur at specific times? Modelling and simulation Who could / must be involved in the specific risk event? Fault tree analysis – E.g. individuals, business units, etc Event tree analysis 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 12 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 14. Step 3: Risk Analysis uses available information to determine an event’s probability and the magnitude of its consequences (1/2) Security Risk Analysis starts with an evaluation of a threat against a specific vulnerability. This evaluation is informed by two activities: A Threat Assessment is concerned with identifying those events, – Threat Assessment; and, aggressors, attackers or adversaries – Vulnerability Assessment that can cause losses to organisational, community or individual assets1. The approach used to perform a risk analysis is dependent upon the type of activity concerned. – Security Risk Assessments on organisations typically utilise approaches which have a A Vulnerability Assessment basis in security intelligence considers how each of the credible threats (identified in the Threat – Security Risk Assessments on products or Assessment) can be realised against services (e.g. credit cards, pharmaceuticals, each critical asset2. welfare payments) typically utilise systems and processes which lend themselves to system or process engineering risk methodologies 1 HB167:2006 Security Risk Management 2 Ibid 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 13 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 15. Step 3: Risk Analysis uses available information to determine an event’s probability and the magnitude of its consequences (2/2) There are numerous risk assessment Selecting the Risk Analysis Methodology methodologies available. – The analyst must determine which Considerations for deciding which risk methodology is most appropriate assessment methodology to use can – The most appropriate model could be a hybrid include: which combines elements from different – Whether an organisation, process or methodologies system is under evaluation – Desired outcomes or objectives Remember that no two risk assessment – Analyst familiarity with the techniques activities will be identical. – Regulatory requirements – The most important consideration when – Existing practices within the organisation designing and/or selecting a risk assessment – Cost-benefit analysis methodology is being able to justify the – Availability of data (i.e. qualitative versus approach quantitative) – The approach must be reasonable and – Available timeframe to conduct the sufficiently robust to address potential legal assessment activity issues, such as negligence and liability, in the – Technical depth of the topic concerned event that a risk event arises 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 14 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 16. The Security Risk Management ‘equation’ illustrates how each component combines to generate a risk, which is then treated1 Risk Residual Risk Residual Risk - = Risk Treatment Risk Treatment Risk Likelihood Consequence Likelihood Consequence x Criticality Assessment + Probability Exposure Probability Exposure Threat Vulnerability x Threat Vulnerability + Intent Capability Intent Capability + + + Desire Expectations Knowledge Resources Skills Desire Expectations Knowledge Resources Skills 1 HB167:2006 ‘Security Risk Management’, Standards Australia 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 15 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 17. Step 4: Risk analysis concludes with each risk being rated so that decisions can be made about risk treatment priorities The purpose of risk evaluation is to group risks into three broad categories: – Broadly Acceptable – Tolerable (As Low As Reasonably Practicable) – Intolerable (i.e. catastrophic risks) The ALARP framework (right) can help with deciding which risks require treatment, which can be ignored (left untreated) and to what extent. Source: Security Risk Management Body of Knowledge 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 16 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 18. Example: A business’ annual revenue projections for the year are $850K, and it has approximately $2.2m in owners equity1 IIlllu ust strra attiiv vee • How many low impact losses might a company be able to tolerate? • What impact might a serious of loss event have on the business’ operating position for the next financial year? Likelihood Risk Acceptance and Financing: Risk events resulting in losses over $3m Risks up to $850K cause a catastrophic loss (cannot be can be retained (i.e. absorbed by firm) Risk Acceptance and Financing: not transferred; Risks resulting in losses over $850K, financed but under $2.2m, can be retained (losses can be through earnings) absorbed by Capital) 0 $4.5m $0 $2.25m $750K $1.5m $3m $3.75m Total losses over a one year period (consequence) 1 Adapted from Bank of International Settlements (2003). “Operational Risk Transfer across the Financial Sectors” 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 17 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 19. Step 5: Once an acceptable level of risk for the organisation has been determined, four options are available to treat risk Risk Reduction: Optimum level of resourcing Ultimately, the cost of security measures used to means balancing Cost of Security against Cost of Loss1 manage risk exposure should not exceed the cost of the loss resulting from an event, or combination of critical events Cost of security $ Reduce the risk: – Introduce controls to reduce the consequence or likelihood of the risk Optimum level Avoid the risk: x of security resourcing – Cease or change the activities which create the exposure to risk Share the risk: – Transfer part of the risk to a 3rd party, such as an insurer Cost of loss Accept the risk Time 1 Source: Protection of Assets Manual – Security Vulnerability 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 18 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 20. Relevance 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 19 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 21. In our increasingly complex and interconnected world, security, and by necessity security risk management, has never been so important The dynamic nature of criminal activity poses significant challenges to both private industry and Law Enforcement in terms of keeping pace with change. – Threats and vulnerabilities are a product of our global environment - social, political, economic, cultural and technological Emerging technologies typically have a radical impact on our environment. – They introduce additional complexity, making it hard to identify and manage vulnerabilities. – They provide new avenues for criminals to exploit, and typically present a low risk, high reward opportunity due to delayed detection and response. Many organizations fail to integrate security elements into new product development teams, meaning security is typically ‘added on’ rather than integrated into initial design concepts. – This approach typically increases the cost of implementing security whilst decreasing its effectiveness – This approach can also expose the organisation to unnecessary reputational risk 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 20 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 22. Security risks rapidly translate into catastrophic business continuity risks, threatening an organisation’s future viability Organisations are increasingly becoming Security and Business Continuity Risks1 interlinked, so one organisation’s vulnerability flows on to others in the value chain. IL LU ST – Many organizations fail to embed security risk RA management approaches across their Incident Losses TI VE business (horizontally and vertically) and 1982 - Johnson & Johnson $150m throughout the supply chain. – Product tampering (Tylenol I) – Where security risk management approaches 1986 - Johnson & Johnson $150m are implemented, there are often inconsistent – Product tampering (Tylenol II) levels of protection 1986 - Sandoz $85m – Fire and Pollution Factors such as increased technological 1988 - Norco $706m – Explosion and fire innovation, competition, consumer demand, 1988 - Pan Am $652m outsourcing and offshoring help accelerate the –Terrorism speed of business, impacting upon the 1992 - Commercial Union $2,170m timeframe companies have to identify and –Terrorism manage security risks 1 Knight and Pretty (2002). “Impact of Catastrophes on Shareholder Value”, Sedgwick Oxford. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 21 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 23. Case Studies Case Study 1: Security Risk in Electronic Banking Case Study 2: Security Risk Management in a Biotech Company Case Study 3: Strategic Security Risk Management in Banking 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 22 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 24. Case Study: Security Risk in Electronic Banking “Money Mules” are intermediaries, working between criminals who obtain funds illegitimately from bank customers (victims). Money mules are an essential element in the criminal transfer of money, including money laundering, with respect to the proceeds of online banking crime. Money mules are typically recruited through Using analytical and GIS mapping seemingly legitimate employment techniques, we profiled the typical ‘mule’ in opportunities. People typically work as Australia. These profiles could then be money mules for secondary employment. integrated into fraud detection systems, Characteristically, one mule will recruit providing additional monitoring for ‘high risk’ others from within their social network. individuals (potential mules). Mules must open bank accounts in their country of origin to transfer stolen funds to overseas criminal syndicates. Key Consideration: Money mules are a critical enabler as they Approaches to Security Risk Management are required to perpetrate online banking should not be limited to published standards. crimes across international borders. Often, complex risks cannot be addressed through ‘normal’ approaches. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 23 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 25. Case Study: Security Risk Management in a Biotech Company As knowledge-creating businesses, the majority of assets in a biotech company are intangible and therefore difficult to identify and protect. Many biotechnology companies are heavily engaged in R&D and also engage extensively with third parties through activities such as Joint Ventures. A biotechnology company had entered into a Research documentation has a significant joint venture with a vendor to commence impact on the ability to obtain a patent, trials on a new diagnostic test, with a view to which is the best way of recovering these taking the diagnostic to market. types of investments on R&D. This precluded the biotech from commercialising Recognising the value of the potential the diagnostic, pending a court hearing. opportunity, the vendor made a lucrative offer to hire the research team, unbeknownst to the research team’s employer. Key Consideration: In the absence of any controls, the research team only partially documented their Security risks are often industry, and research outcomes. Less than three weeks organisation specific. Unless identified early, after resigning, the research team had filed potentially catastrophic risks can easily be three separate patent applications. overlooked. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 24 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 26. Case Study: Quantifying Strategic Security Risk in Banking Financial Institutions, their customers and merchants represent lucrative targets for criminals. Conversely, law enforcement is typically required to provide a response to attacks against banks with little forewarning and inadequate time to understand the complex systems and environment. Australia’s banks and law enforcement By applying strategic intelligence techniques agencies wanted to identified potential global to a selection of key data indicators and technology-enabled financial crime [TEFC] using a scored and weighted algorithm, we (e.g. online banking fraud) hotspots. were able to quantitatively rank every country in the world with respect to its TEFC Early warning of potential high-risk countries risk status. would enable the implementation of more stringent controls around banking platforms. This information could also be used by law enforcement with respect to international Key Consideration: cooperation and training activities, especially in developing countries. Common security risk management methodologies are not always suitable. No previous attempts had been made to Innovative or hybrid approaches may be rank TEFC security risks in this manner. utilised provided they are defensible. 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 25 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 27. Additional Resources References Sample Reports 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 26 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 28. Publicly available Security Risk Management resources include standards, manuals, handbooks and other useful references Standards – AS/NZS 4360:2004 Risk Management – BS7799 Information Security Management (ISO17799 and ISO27001) – Malaysian Standard ICS 03.100 Business Continuity Management – ISO/DIS 31000: Risk Management – Principles and guidelines on implementation (DRAFT) Manuals, Handbooks and Guidelines – Standards Australia - HB167:2006 Security Risk Management – RMIA - Security Risk Management Body of Knowledge – ASIS International Protection of Assets Manual – US Coast Guard - Risk Based Decisions Manual (2nd Edition) – ASIS International - General Guideline for Security Risk Assessment Books – Risk Analysis and the Security Survey (3rd Edition) 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 27 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 29. Numerous examples of Security Risk Management activities are publicly available which can be used to tailor your approach IL LU US Department of Energy - Vulnerability Assessment Methodology ST RA TI VE US Department of Homeland Security - Vulnerability Assessment Methodologies Report 2003 BASF Security Vulnerability Assessment (SVA) Methodology & Enhanced Security Implementation Management US Critical Infrastructure Assurance Office - Vulnerability Assessment Framework (1998) UK Serious Organised Crime Agency - Threat Assessment of Serious / Organised Crime 2006/07 EU Organised Crime Threat Assessment 2007 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 28 SRM and Asset Protection v1.0.ppt June 17, 2008
  • 30. Thank you for your participation. Questions? Paul Curwell Booz & Company (Australia) Ltd. Level 7, 12 Moore St Canberra City ACT 2601 Australia Tel +61 2 6279 1966 Mob +61 413 593 074 Fax +61 2 6279 1990 Paul.Curwell@booz.com 6th Regional Professional Security Conference, Kuala Lumpur Booz & Company 29 SRM and Asset Protection v1.0.ppt June 17, 2008