INTRODUCTION TO THE DEPARTMENT OF HOMELAND SECURITY
Gregory Allen
CHAPTER OUTLINE
Introduction 2
Homeland Security Platform 2
Risk Analysis and Management for Critical Asset Protection 4
Asset Characterization and Screening 5
Threat Characterization 5
Consequence Analysis 6
Vulnerability Analysis 6
Threat Assessment 6
Risk Assessment 6
Homeland Security Act of 2002 6
Homeland Security Presidential Directives 7
Abstract
The Department of Homeland Security (DHS) has set the framework and best practices for all security professionals. This chapter outlines different parts of the DHS organization and the importance of each area of homeland security risk management. Central to this policy are the premises that security partners can most effectively manage risk by working together and that management capabilities must be built, sustained, and integrated with federal, state, local, tribal, territorial, nongovernmental, and private sector homeland security partners. Although successful integration requires implementation across the entire homeland security enterprise, the DHS plays an essential role in leading the unified effort to manage risks to the nation from a diverse and complex set of hazards, including acts of terrorism, natural and human-made disasters, pandemics, cyber attacks, and transnational crime.
http://dx.doi.org/10.1016/B978-0-12-802224-5.00001-4
Keywords: Department of Homeland Security (DHS), Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), Transportation Security Administration (TSA), Risk Analysis and Management for Critical Asset Protection (RAMCAP), asset characterization, threat characterization, consequence, vulnerability, threat, risk, Homeland Security Act of 2002, Homeland Security Presidential Directives (HSPD), National Incident Management System (NIMS), Federal Emergency Management Agency (FEMA), National Continuity Policy.
Introduction
The Department of Homeland Security (DHS) has set the framework and best practices for all security professionals. This chapter outlines different parts of DHS and the importance of each area of homeland security risk management. According to the Homeland Security Risk Management Doctrine:
…In May 2010, the Secretary of Homeland Security established a Policy for Integrated Risk Management (IRM). Central to this policy is the premise that security partners can most effectively manage risk by working together, and that management capabilities must be built, sustained, and integrated with Federal, state, local, tribal, territorial, nongovernmental, and private sector homeland security partners. While successful integration requires implementation across the entire homeland security enterprise, the Department of Homeland Security (DHS) plays an essential role in leading the unified effort to manage risks to the Nation from a diverse and complex set of hazards, including acts of terrorism, natural and manmade disasters, pandemics, cyber attacks, and transnational crime.1
Homeland Security Platform
Before learning about risk itself, it is a good idea to understand how everything is placed together to form the mindset of risk analysis and organizational security. Terrorism has been around for at least hundreds, if not thousands, of years, and we have all read about terrorist attacks around the world and the destruction caused and lives they have taken. But not until the 1993 World Trade Center bombing did Americans realize that terrorism could be directed against us and even occur on our own soil. This definitely should have been a
1 Beers, 2011.
wakeup call; however, it was not until the September 9/11 bombings that we realized that international terrorism is as much of a threat as domestic terrorism. Intelligence agencies across the world failed to protect us, and nearly 3000 lives were taken in an act that should have been prevented.
More lives would have been lost if it were not for Rick Rescorla, director of security for Morgan Stanley, who made employees working in the Twin Towers at the World Trade Center practice an emergency evacuation plan on a monthly basis, for years prior to the attack. His forethought singlehandedly saved all of his employees’ lives, yet he died in the attacks. At least one person tried to be prepared for such a horrific event.
As a result of this event, we realized not only that our intelligence community was not prepared to protect our nation but also that our law enforcement community had not been informed of the terrorist activity leading up to the attacks.
The 19 terrorists involved in the bombings had performed their own due diligence regarding soft and hard areas to attack that would make an immediate impact on this country without being noticed. We discovered that the terrorists lived in the Las Vegas, Nevada, area for months in hopes of attacking the city and placing stress on the city’s financial sector. However, they learned that Las Vegas was an expendable money city, and an attack would not be financially crippling. During this time, terrorists were stopped by local and state police for traffic violations, but there was no hint of any terrorist activity or movement. The 9/11 attack could have been stopped if our intelligence community had obtained information on these activities. However, this was not the case, and the attacks showed other countries our vulnerabilities and incapability to handle such events on our own soil.
The U.S. DHS was created and founded on November 25, 2002, in response to the 9/11 attacks. This agency’s purpose is to protect the homeland of the United States and U.S. territories. DHS is one of the most important agencies in the country because it is responsible for responding to terrorist attacks, natural disasters, and man-made accidents. Before the attacks on 9/11, most of the U.S. population believed that we were unbeatable and unaffected by attacks occurring in other countries. The 9/11 attacks opened many Americans’ eyes— and the federal government’s—to our vulnerability.
The DHS was created to thwart further attacks on the United States and its territories. Before 9/11, most local, state, and federal agencies did not communicate with each other to share information about illegal activities, let alone terrorists’ movements. These were agencies such as the Central Intelligence Agency (CIA); Federal Bureau of Investigation (FBI); and Bureau of Alcohol, Tobacco,
Firearms and Explosives (ATF). Prior to 9/11 limited information was shared between agencies on terrorist activities or the collaboration of terrorist investigations. If more information would have been shared the likelihood of the 9/11 attacks may not have occurred.
The DHS was put into place as an effort to centralize all information-sharing initiatives from agencies, such as the FBI, CIA, ATF, and other defense agencies within the United States. The intent was to defend our borders more effectively against further attacks. Some have questioned the effectiveness of DHS because we have not had another foreign terrorist attack on US soil, but others suggest this is due to the presence of this department and that it has worked to plan.
The American people have noticed some inconsistencies in the DHS approach to national security (e.g., changes in the Transportation Security Administration [TSA] procedures). However, changes are constantly being made in the hopes of seeing examples of proper protection of this nation. Although our efforts need to be accurate 100% of the time, a terrorist attack only has to be right once for a disaster to occur.
Risk Analysis and Management for Critical Asset Protection
Another framework to address is Risk Analysis and Management for Critical Asset Protection (RAMCAP). RAMCAP is used for risk analysis and management associated with terrorist attacks on critical infrastructure assets. RAMCAP provides users with a consistent and sound methodology to identify, analyze, qualify, and communicate the various characteristics and impacts terrorists may use to identify targets and methods of attack. This process is primarily used to identify security vulnerabilities but it also provides methods to evaluate what can be done to improve these weaknesses.
RAMCAP is simple, yet transparent, and an effective tool to help our nation’s critical infrastructure sectors, whether public or private. It allows us to compare and contrast risks at any level or in any sector and is adaptable to the strengths and weaknesses presented. It looks at alternative pathways to achieve objectives needed for a positive result. This process can be used by business owners and operators to assess the consequences and vulnerabilities related to terrorist attacks on their infrastructures. It can also give them the guidance to assess and evaluate risk through a common framework, and it provides an efficient mechanism to both the public and private sectors to report risks to DHS. This reporting is an important issue because it gives the baseline for risk assessment and the tools needed
to protect our critical infrastructure. These efforts will foster the development and distribution of more refined methods for improving the quality and consistency of risk assessment.
If we look back, even before the 9/11 attacks, risk analysis methods were used in the past; however, after the attacks, they were used even more but not to the extent that we had expected. Both the public and private sectors have used RAMCAP based on the aspects of applying risk to terrorism and homeland security. The RAMCAP methods were developed for the application of protecting our critical infrastructure by using a general and broad-based approach.
RAMCAP has both a qualitative and quantitative framework and is intended to incorporate a cooperative effort with both the public and private sectors. Each partner, no matter what the level, has different goals, and by working together, each participant has information that is valuable to the others. No sector is in the position to know all of another’s vital information, even that which is important to risk assessment. The same goes for any facility or system in understanding the intentions or capabilities of a terrorist movement. By working together and sharing information and knowledge through the use of RAMCAP, participants are able to achieve their goals. At any time, RAMCAP can assist with all different types of processes needed to gain the results important to a terrorist movement.
RAMCAP is comprised of six interrelated steps of analysis. They are as follows.
asset characterization and Screening
Asset characterization and screening is analysis of a facility’s or system’s operational process for the identification of critical assets and hazards while performing a preliminary evaluation of a terrorist act.
threat characterization
Threat characterization is the identification of specific and general aspects of a terrorist attacks on a given target. DHS has compiled a set of baseline threats that are evaluated for each asset or system. Known threats are formed by the collaborative activities of law enforcement agencies and intelligence organizations that are in charge of understanding the means, methods, and motivations of terrorists. This evaluation is based on the various types of threats that are present. These partners can then apply these threats to the facility or system based on knowledge of those assets. Not all threats result in the formation of assets.
consequence analysis
Consequence analysis is the identification of the worst consequences that could be generated by a certain threat. This step looks at facility and system design, layout, and operations to identify the types of consequences that could result. These consequences can be qualified as financial costs, as well as fatalities and injuries. They can also cause psychological impacts and effects on our nation.
Vulnerability analysis
Vulnerability analysis is the determination of the likelihood of a successful attack by using certain threats on an exact asset. This process involves the evaluation of security capabilities, countermeasures, and mitigation in the effort to lessen the probability of a successful attack.
threat assessment
Threat assessment involves two steps. The first is the evaluation of asset attractiveness and a full threat assessment. This asset assessment is perceived to give value to terrorist attacks on a given facility or system and the value of deterrence on that target. These assessments are made by the owner or operators of that target. The threat assessment is conducted by DHS as it looks at how attractive a target is and at terrorists’ capabilities and intent.
risk assessment
Risk assessment is a systematic and comprehensive evaluation of previously developed data that was gathered for a specific facility or system. The partners create a foundation for the selection of strategies and tactics to defend against terrorism on any level.
Risk management is a deliberate process of understanding risk and making a decision on implementing a plan to achieve an acceptable level of risk at a cost. Risk management includes identification, evaluation, and the control of risk to the level of accepted value.
Many assets are considered critical to DHS and those organizations that are required to follow federal compliance policies are required to complete a vulnerability assessment. This depends on a conditional risk assessment that an attack will occur. All data are gathered and evaluated for possible deterrence of future potential attacks. From this process, DHS has the information needed to effectively allocate proper resources for risk reduction of terrorism on a national scale.
Homeland Security Act of 2002
The primary purposes of the creation of the Homeland Security Act were to prevent terrorist attacks within the United States, reduce
the vulnerability of the United States to terrorism, and minimize the damage and assist with the recovery from any attack on our soil.
Based on the Homeland Security Act of 2002, Congress created a standalone entity to unify our national homeland security efforts. DHS was created through 22 different agencies within the federal government. Shortly after the 9/11 attacks, Tom Ridge was appointed the first director of DHS as the office coordinated efforts in protecting our country through a comprehensive strategy against terrorism and other attacks. DHS officially opened its doors on March 1, 2003. On February 15, 2005, former DHS Secretary Michael Chertoff initiated a Second Stage Review to evaluate DHS’s operations, policies, and procedures. More than 250 members of the organization and 18 action teams contributed to the effort. The teams also worked with public and private sector partners, which resulted in a significant reorganization of the department.
In 2010, Secretary Janet Napolitano completed the first ever Quadrennial Homeland Security Review, which created a more unified, strategic framework for homeland security missions and goals. When this occurred, DHS conducted a bottoms-up review to align all departments with the missions and goals that had been put into place. With this review, all of the public and private sector partners were brought together for a better understanding of a unified approach to national security, with the primary purpose of protecting our homeland.
Homeland Security Presidential Directives
Homeland Security Presidential Directives (HSPD) are issued by the presiding president on issues regarding homeland security. There are presently three directives affecting the role of our emergency response system. The following are some of the 25 directives that have been issued:
1. HSPD-5: The Management of Domestic Incidents establishes a single, comprehensive National Incident Management System (NIMS) and National Response Framework.
2. HSPD-7: Critical Infrastructure Identification, Prioritization and Protection requires federal agencies to coordinate the protection of crucial infrastructure and other key resources. For example, the Environmental Protection Agency (EPA) is responsible for our drinking water and water treatment systems.
3. HSPD-8: National Preparedness directs the federal government’s agencies and departments to be prepared and able to respond to national direct attacks where they occur in the United States. The Federal Emergency Management Agency (FEMA) provides assistance when needed.
4. HSPD-9: Defense of United States Agriculture and Food establishes a national policy to defend the agriculture and food system against terrorist attacks, disasters, or any other emergency that may occur. The EPA and other federal agencies are tasked with developing and enhancing intelligence operations, focusing on the agriculture, food, and water sectors. Surveillance and monitoring systems are put into place for the development of effective countermeasures.
5. HSPD-10: Biodefense for the 21st Century involves coordination with federal agencies in developing strategies and guidelines for response to and recovery from biological weapons attacks.
6. HSPD-12 is a policy for a Common Identification Standard for Federal Employees and Contractors. This is a process whereby a standard is set for secure and reliable identification processes for federal employees and contractors.
7. HSPD-14: Domestic Nuclear Detection coordinates efforts to protect our nation against dangers from nuclear and radiologic materials.
8. HSPD-20: The National Continuity Policy was established as a national policy on the continuity of our nation’s agencies and operations after an emergency. Federal agencies need to have a continuity of operations plan in place.
9. HSPD-23: The Cyber Security Initiative requires federal agencies to monitor cyber activity against federal agencies’ computer systems and to plan efforts to eliminate sources of hostile actions.
WHAT IS RISK?
Rachel Derr
CHAPTER OUTLINE
Introduction 10
Understanding Physical Security Risk 10
Risk Management 14
Operational Risk 15
Legal Risk (Information Security) 19
ISO 17799 and BS 7799: The Key Components of the Standard 20
Information Security Policy for the Organization 20
Creation of Information Security Infrastructure 20
Asset Classification and Control 20
Personnel Security 20
Physical and Environmental Security 21
Communications and Operations Management 21
Access Control 22
System Development and Maintenance 22
Business Continuity Management 23
Compliance 23
Reputational Risk 23
Managing Reputational Risk 23
Abstract
In this chapter, you will learn that security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective is quite often a complex and sometimes a subjective matter. One of the prime functions of security risk analysis is to put this process into a more objective basis. Risk management is a process used to implement security measures to reduce risks to a reasonable and acceptable level. Every organization should have some form of risk management in place to adequately protect its assets. Risk management studies the risk, vulnerabilities, and threats to any asset that an organization faces. Risk management can be used to address all the different
hazards that an organization could potentially face. It is not only used for protection against human-made attacks; it is also used to protect against naturally occurring events such as tornadoes, hurricanes, and other natural disasters.
Keywords: risk management, asset assessment, operational risk, business continuity, risk assessment, criticality, operational risk, legal risk, access control, physical security, business continuity, compliance, reputational risk.
Introduction
Risk is the potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence. “Risk management” is defined by Department of Homeland Security (DHS) as the process by which society attempts to reduce risk “to an acceptable level at an acceptable cost.”1 Risk is uncertainty.
Understanding Physical Security Risk
To understand how to perform an enhanced threat and risk assessment, it is important to understand the different areas that make up the actual process. In this text, the process is broken down into the different sections:
● Risk
● Threat
● Vulnerability
● Consequence
Risk management is a process used to implement security measures to reduce risks to a reasonable and acceptable level. Every organization should have some form of risk management in place to adequately protect their assets. Risk management studies the risk, vulnerabilities, and threats to any asset that an organization faces. Risk management can be used to address all the different hazards that an organization could potentially face. It’s not only used for protection against human-made attacks, but it is also used to protect against naturally occurring events such as tornadoes, hurricanes, and
1 Schanzer and Eyerman, 2010.
other natural disasters. This tool is used to manage risk to an acceptable level while remaining an affordable cost. Like everything else in the world, risk management does not come without a price. Having an effective risk management plan comes with a price, but by following our steps, you can have a cost-effective plan.
There are five main steps to risk management:
1. Asset assessment: Determine the value of your assets that require protection. This can be anything that possesses a value to your organization, including your staff, information, hardware, and software. Identify undesirable events and expected impacts and value and prioritize assets based on consequence of loss.
2. Assess threats: Identify threat categories and adversaries, assess intent of each of your adversaries, assess capabilities of each of your adversaries, determine the history of past incidents, and estimate the threat related to each valued asset.
3. Assess vulnerabilities: Identify vulnerabilities of assets relative to undesirable events, identify existing countermeasures and their level of effectiveness in mitigating vulnerabilities, and estimate degree of vulnerability of each asset from related threat.
4. Assess risk: Estimate the degree of impact relative to each valued asset, to estimate the likelihood of an attack by a potential adversary, to estimate the likelihood that an adversary will be successful in their attack, to determine the potential risk, and prioritize risk based on asset value.
5. Determine countermeasure options: Identify all potential countermeasures, identify countermeasures’ benefits in term of risk reduction, identify countermeasure costs, prioritize options, and prepare a recommendation to the decision maker. The main goal of risk management is to prevent adversaries from exploiting organizations vital assets.
One formula that is used in risk management is as follows:
Organizations need to decide if they want to effectively manage risk or have a risk averse approach. Whereas risk averse is when you are always addressing the worst-case scenario, risk management allows you to prioritize and address certain risks that could be detrimental to an operation.
At the beginning of the book, we discussed what risk was. Going forward, we will take a look at what equals risk.
Risk has many interpretations and the term is often used to describe dangers or threats to a particular person, environment, or business. The following is just one definition:
Understanding risk includes understanding of the different elements and how they fit together. For example, considerations from a business perspective may include:
● What are the different types of threats to the organization?
● What are the organization’s assets that need protecting from the threats?
● How vulnerable is the organization to different threats?
● What is the likelihood that a threat will be realized?
● What would be the impact if a threat were realized?
● How can the organization reduce the likelihood of a threat being realized or reduce the impact if it does occur?
Asset: People, property, and information. People may include employees and customers along with other invited persons such as contractors or guests. Property assets consist of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information. Information may include databases, software code, critical company records, and many other intangible items.
An asset is what we’re trying to protect.
Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset
A threat is what we’re trying to protect against.
Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset
A vulnerability is a weakness or gap in our protection efforts.
Risk: The potential for loss, damage, or destruction of an asset as a result of a threat exploiting vulnerability
Risk is the intersection of assets, threats, and vulnerabilities. Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never understand the true risk to assets. You see, when conducting a risk assessment, the formula used to determine risk is a function of threats exploiting vulnerabilities to obtain, damage, or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities, then there is little or no risk. Similarly, you can have vulnerability, but if you have no threat, then you have little or no risk. Accurately assessing threats and identifying vulnerabilities are critical to understanding the risk to assets. Understanding the difference among threats, vulnerabilities, and risk is the first step.
A security threat assessment is a systematic review or analysis conducted by professional security consultants to examine the effectiveness of current security practices. The assessment identifies security deficiencies and includes a review of all security measures presently in place to determine their effectiveness and functionality as well as their usefulness to the overall security effort. After the assessment is
completed, recommendations are made to correct deficiencies, mitigate security risks, and protect the organization’s assets. Ideally, these recommendations become the road map that businesses can use to develop security plans as a part of their business plans.
Today’s business world is constantly changing—it’s unpredictable and volatile and seems to become more complex every day. By its very nature, it is fraught with risk.
Historically, businesses have viewed risk as a necessary evil that should be minimized or mitigated whenever possible. In recent years, increased regulatory requirements have forced businesses to expend significant resources to address risk, and shareholders in turn have begun to scrutinize whether businesses had the right controls in place. The increased demand for transparency around risk has not always been met or met in a timely manner, however, as evidenced by the financial market crisis in which the poor quality of underlying assets significantly impacted the value of investments. In the current global economic environment, identifying, managing, and exploiting risk across an organization has become increasingly important to the success and longevity of any business.
Risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Done right, a risk assessment gives organizations a clear view of variables to which they may be exposed, whether internal or external, retrospective or forward looking. A good assessment is anchored in the organization’s defined risk appetite and tolerance and provides a basis for determining risk responses. A robust risk assessment process, applied consistently throughout the organization, empowers management to better identify, evaluate, and exploit the right risks for their business, all while maintaining the appropriate controls to ensure effective and efficient operations and regulatory compliance.
For risk assessments to yield meaningful results, certain key principles must be considered. A risk assessment should begin and end with specific business objectives that are anchored in key value drivers. These objectives provide the basis for measuring the impact and probability of risk ratings. Governance over the assessment process should be clearly established to foster a holistic approach and a portfolio view—one that best facilitates responses based on risk ratings and the organization’s overall risk appetite and tolerance. Finally, capturing leading indicators enhances the ability to anticipate possible risks and opportunities before they materialize. With these foundational principles in mind, the risk assessment process can be periodically refreshed to deliver the best possible insights.
Organizations that vigorously interpret the results of their risk assessment process set a foundation for establishing an effective enterprise risk management program and are better positioned to
capitalize on opportunities as they arise. In the long run, this capability will help steer a business toward measurable, lasting success in today’s ever-changing business environment.
Risk Management
Risk management is the identification, assessment, and prioritization of risks (defined in International Organization for Standardization [ISO] 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and impact of unfortunate events.2 Several risk management standards have been developed, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.
Security professionals must remember that risk can be minimized, but it will never be eliminated. Risk assessments are a systematic approach with multiple levels. Is it possible to quantify the process? An organization must consider the possibilities involved in an individual trying to harm an asset or another individual and how the organization will mitigate the consequences of an attack.
More than a decade after the attacks on the World Trade Center, facility executives find themselves increasingly focused on the wellbeing of tenants and employees when assessing physical risks and weaknesses. This attention to real-world concerns requires a comprehensive planning approach. Today, security safeguards generally fall into one of three categories: physical security, information security, and operational security.
Risk is uncertainty that surrounds actual events and outcomes that may (or may not) take place. The uncertainty surrounds actual events and outcomes for future events and actual events.
Risk management, in regards to physical security, impacts our ability to properly apply and maintain an efficient security plan; even more so, it impacts the protection plan based off the risk assessment completed for the organization.
It is important for organizations to remember to allocate material and funding to protect their most critical assets; whether this is the organizational infrastructure or the personnel.
To prioritize threats, an organization must assess the risks that the company faces and manage those risks by putting their resources to work in the most effective way.
Just as the DHS does not have unlimited resources to protect the nation’s critical infrastructure, neither do organizations, whether they are in the public or private sector. As a result, hard choices have to be
2 Hubbard, 2009.
made on how resources need to be allocated; this is usually done by using a risk management process that measures risk and can clearly show organizations how they need to spend their money and plan accordingly.
Regardless of anyone’s political beliefs, Americans want to prevent another terrorist attack from occurring in the United States, and organizations want to protect their assets. In the face of increasingly diffuse threats and adversaries asymmetrically pursuing vulnerable targets, the question is how can we best prevent such attacks?
When an organization prepares to complete a risk assessment and to properly address the risks that are “possible,” the following question must be included:
● What is the risk (or threat)?
● What are we trying to protect?
● What is the criticality?
● What or who are the potential actors?
● What are the intentions?
● What are the relevant capabilities?
● What are the organization’s fragilities?
● What are the options to eliminate or at least alleviate those weaknesses?
For the purposes of this book, we will define risk management as the identification and management of opportunities and threats. A fundamental aspect of any organization is that all activities involve risk. Gains can only be realized when risks are taken. Risk management enables organizations to determine the level of risk that will provide the maximum overall gains.
When properly applied, risk management techniques have the potential to increase an organization’s profits over a period by minimizing losses. They allow clear decisions to be made about what level of risk is acceptable and what strategies are most appropriate for dealing with risks. A further benefit of properly applied risk management techniques is that organizations can obtain a significant competitive advantage by minimizing their risk management costs and identifying the real costs and gains of their activities.
Operational Risk
Operational risk deals with the day-to-day risks faced by an organization in areas such as:
● Personnel risk
● Property risk
● Technology risk
● Legal risk
● Regulatory risk
● Reputation risk
Personnel risk deals with the risks that affect the safety or stability of personnel within an organization. The risks associated with the safety of personnel include areas such as workplace accidents. These are generally managed through occupational health and safety management.
Another personnel risk is in the area associated with the value that personnel contribute to an organization and the investment that the organization has put into them. The value includes the experience and training that they have gained, the criticality of their position in the organization, and the cost of replacing the personnel if they leave for any reason.
Property risk generally deals with the fixed assets of an organization and the risks of the value of these assets being diminished. Property risk management works closely in areas such as security and fire management, which deal with direct threats to these assets.
Technology risk, which is often included in property risk, looks at the technology that an organization has and the risks of it being unable to carry out the function for which it was designed. It may include areas such as equipment failures and technology becoming outdated.
Legal risk covers areas such as the legality of contracts and the risks of litigation. This is often a large area for organizations to manage because it is concerned with all contracts such as purchase orders, employment contracts, and major contract agreements.
Regulatory risk deals with the rules that an organization must legally follow during normal operations. It includes areas such as company reports and financial accounting standards. These risks are generally straightforward to manage but may present very high risk if they are incorrectly managed.
Reputation risk is an area that can be very difficult to quantify. The value of an organization is often largely dependent on the value of its goodwill. The goodwill itself is dependent on the organization’s reputation. This area of risk is one that may be very easily damaged through adverse publicity or the efforts of competitors. When attempting to quantify this risk, it is often useful to start by looking at the cost of promotion that would be necessary to recover from a loss in this area.
Many areas contribute to these risks. These are addressed in this book according to traditional areas of responsibility within an organizational structure. These areas include:
● Security
● Fire
● Occupational health and safety
● Environmental issues
● Technology failures
● Natural disasters
● Industrial relations
● Litigation
● Legislative compliance
● Business activities
● Payment and processing systems
Security is an area that directly affects the risk areas of personnel, property, and technology. To a lesser extent, it also can include the areas of legal and reputation risk. For example, security may be relevant to personnel in the areas of assault and robbery. It also affects property and technology in the areas of theft and malicious damage. Legal and reputation risks may be affected by security in the area of protecting confidential information.
According to Walker (2001), environmental, health, and safety directly affect personnel, legal, regulatory, and reputation risks. This is also an area where risk management of these areas can provide increases in an organization’s gains. When effective environmental, health, and safety programs are put in place, opportunities also exist to increase staff morale and productivity. An organization’s reputation may also be enhanced through these programs.
Technology failures affect personnel and technology risk. Personnel are affected when technology is linked to staff health and safety. For example, the failure of a piece of technology may cause industrial accidents or fires. Technology risk is affected if the failure leads to a loss of production.
Natural disasters can directly affect personnel, property, technology, and reputation. When a natural disaster such as a flood or earthquake occurs, the effect on these areas may be enough to put an organization out of operation. Natural disasters may not be able to be accurately predicted, but organizations can take steps to minimize their exposure to them and manage the consequences if they do occur.
Industrial relations are an area of risk that affects personnel and reputation. Industrial relations are often concerned with maintaining low staff costs. However, a risk management approach also takes into account other costs and benefits. The cost of staff replacement through resignations is one of the areas that risk management can address. Whenever a person in an organization is replaced, there are significant costs associated with recruitment and training of new staff. There are also costs associated with low staff productivity caused by low morale or lack of experience. Good industrial relations minimize these risks and can provide an organization with a competitive edge through low staff replacement costs and highly experienced staff.
Litigation or legal risk is an area where an organization can benefit from a risk management approach. When faced with a legal claim, executive management needs to decide if it is going to defend the claim or negotiate a settlement. Risk management tools can assist in this decision-making process.3
Legislative compliance is an area where organizations need to continuously monitor changes to minimize their exposure to losses. Legislation is an area that constantly changes, and it is possible for an organization to have procedures and contracts in place that are out of date. For example, health and safety legislation may change and impose new standards of managing workplace risks. If the new standards are not implemented in an organization and a workplace accident occurs, then significant penalties may be imposed on the organization and its management. Legislation may also change in more complex areas such as the requirements of business loans. Failure to comply with new legislation in this area may result in debtors not having to repay interest on loans. Naturally, this is an area of significant interest to financial institutions.
Day-to-day business activities have risks in areas such as contracts and the estimation of time and material costs. Risk management of these areas has the potential to make significant improvements in an organization’s profitability. If, for example, an organization is experiencing continual losses in a particular area, it may be partly attributable to inappropriate management of the risks. By applying risk management techniques, it may be possible for an organization to define what activities or projects it should participate in, which ones it should outsource, and which ones it should avoid altogether.
Finally, payment and processing system errors contribute to losses and are also an area of interest to operational risk.
Although we have discussed operational risk in the context of a number of classifications, it is important to remember that they are all interconnected. If the risks are treated in isolation, then conflicts and inefficiencies may arise. This is often seen in the areas of security and fire, for example. Whereas the needs of security may be for locked doors, fire safety may require the doors to be left unlocked. By taking an overall operational risk management perspective, these risks can be prioritized and treated accordingly. An overall perspective can also provide opportunities for treating a number of risks in a single manner. A particular area of an organization may have significant security risks associated with poor industrial relations. Instead of investing in costly security measures, an outsource strategy may address both risks at once and provide higher benefits at lower cost.
3 Walker, 2001.
Treating risks with an overall operational risk perspective also allows organizations to maximize the effectiveness of their current resources. When developing risk management strategies, the human, technological, and physical resources of the organization may be applied. An overall perspective allows the most appropriate resources to be used in the most appropriate manner. This is an area where significant cost savings in managing risks may be available.
Operational risk management is an area where organizations have the opportunity of turning losses into profits. It provides the tools needed to do this.
A major challenge in operational risk is the quantification of the value at risk. The historical data necessary for quantifying the value at risk are far more fragmented in operational risk than in the areas of market or credit risk. As a result, operational risks are often measured in terms of high- or low-risk priority ratings. However, the data necessary for making quantitative operational risk measurements are available in most cases but require significant research to collate and evaluate.
When we examine the entire operational risks of an organization, it is necessary to also look at the areas of credit, market, and strategic risk. Although this book deals with operational issues, all risks facing an organization are interrelated. It is important to remember that the different categories of risk are only management definitions to enable effective application of staff skills within an organizational structure. For example, a major operational project such a building construction or a technology implementation will come across issues of finance (including credit risk); the stability of the financier (market risk issues); strategic risk; and, of course, the operational risk issues associated with contracts and costs.
The areas of risk management are often isolated functions within large organizations, both structurally and strategically. It may be argued that to achieve the full benefits from risk management techniques, these areas be combined within an organization’s structure.
Legal Risk (Information Security)
Outside of the individual state laws and industry-specific laws and regulations, there are a number of different physical security laws and regulations that organizational management and security professionals need to keep in mind when they are completing assessments.
Although this book does not focus information security, protecting the key asset of an organization’s network, is beneficial for the survival of a company both in prevention and during an incident. ISO 17799 and BS 7799 are guides to making sure an organization is in compliance with federal laws and regulations.
isO 17799 and Bs 7799: the key Components of the standard
BS 7799 specifies requirements for establishing, implementing and documenting an information security management system. The standard has 10 domains that address key areas of information security management.4
information security Policy for the Organization
This activity involves a thorough understanding of the organization’s business goals and its dependence on information security. This entire exercise begins with creation of an information technology (IT) security policy. This is an extremely important task and should convey total commitment of top management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable and easy to understand and must balance the level of protection with productivity. The policy should cover all of the important areas such as personnel, physical, procedural, and technical.
Creation of information security infrastructure
A management framework needs to be established to initiate, implement, and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles, and coordination of security across the organization.
asset Classification and Control
One of the most labor intensive but essential tasks when completing asset classification, is to manage inventory of all IT assets. These assets may include information assets, software assets, physical assets, or other similar services. These assets need to be classified to indicate the degree of protection. The classification should result in appropriate categorization to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, and transmit or destruction of the information asset.
Personnel security
Human errors, negligence, and greed are responsible for most thefts, frauds, and misuse of facilities. Various proactive measures
4 Mukund, NA.
that should be taken are to establish personnel screening policies, confidentiality agreements, terms and conditions of employment, and information security education and training. Alert and welltrained employees who are aware of what to look for can prevent security breaches.
Physical and Environmental security
Designing a secure physical environment to prevent unauthorized access and damage and interference to business premises and information is usually the beginning point of any security plan. This involves physical security perimeter; physical entry control; creating secure offices, rooms, and facilities; providing physical access controls; providing protection devices to minimize risks ranging from fire to electromagnetic radiation; and providing adequate protection to power supplies and data cables. Cost-effective design and constant monitoring are two key aspects of maintaining adequate physical security control.
Communications and Operations Management
Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment, including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.
Exchange of information and software between external organizations should be controlled and should be compliant with any relevant legislation. There should be proper information and software exchange agreements; the media in transit need to be secure and should not be vulnerable to unauthorized access, misuse, or corruption.
Electronic commerce involves electronic data interchange, electronic mail, and online transactions across public networks such as the Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract disputes, and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.
access Control
Access to information and business processes should be controlled according to the organization’s operations and security requirements. The areas of focus may include:
● Defining access control policy and rules
● User access management
● User registration
● Privilege management
● User password use and management
● Review of user access rights
● Network access controls
● Enforcing the path from the user terminal to the computer
● User authentication
● Node authentication
● Segregation of networks
● Network connection control
● Network routing control
● Operating system access control
● User identification and authentication
● Use of system utilities
● Application access control
● Monitoring system access and use
● Ensuring information security when using mobile computing and teleworking facilities
system Development and Maintenance
Security should ideally be built at the time of inception of a system. Hence, security requirements should be identified and agreed on before the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage (i.e., data input, data processing, data storage, and retrieval and data output). It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signatures, use of digital certificates, protection of cryptographic keys, and standards to be used for cryptography.
A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes or software packages should be strictly controlled. Special precautions must be taken to ensure that no covert channels, back doors, or Trojans are left in the application system for later exploitation.
Business Continuity Management
A business continuity management process should be designed, implemented, and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and, depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained, and reassessed based on changing circumstances.
Compliance
It is essential that strict adherence is observed to the provision of national and international IT laws pertaining to intellectual property rights, software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls, and collection of evidence.
Reputational Risk
How much is your reputation worth? How much should a company spend to protect its reputation? The threat to a company’s good name can happen to any organization no matter how big or small. Reputational risk can be caused by the company itself as a result of the employees or investors or by a product produced by the company. It is important that the organization follows best practices and is socially and environmentally conscious to protect its reputation.
Managing Reputational Risk
Reputation risk is the current and prospective impact on earnings and enterprise value arising from negative stakeholder opinion. According to Koenig (2012), it is “the loss of the value of a brand or the ability of an organization to persuade.”5
