benefits of a truly wholistic approach to security in government
DESCRIPTION
Security-in-depth is a key and noble concept. It is often implemented very well within the individual disciplines of information, personnel and physical security. Good practitioners also implement it well across the disciplines to achieve holistic, cost effective and efficient protections of an organisation’s people, information and assets. Achieving effective and efficient security-in-depth is dependent not just on controls within and across the disciplines, but also on the interaction of policy development, risk assessment, planning, incident management, assurance and review. QinetiQ Australia assists its clients to take a wholistic approach to the implementation of security; one which sees security as an entire system with component parts. The approach doesn’t stop at security in depth through controls alone, but sees how those controls and the policies that initiate them are properly informed by environment, risk assessment, incident analysis and assurance review. QinetiQ’s consultants possess backgrounds as Agency Security Advisers, policy writers, risk assessors, system auditors and systems engineers. This knowledge and expertise is harnessed to provide the best possible support and advice to government agencies seeking to be compliant with the Protective Security Policy Framework within a resource-constrained environment.TRANSCRIPT
Benefits of a truly wholistic approach to Security in Government
Jolyon Keegan, Government Portfolio Lead Vern Amey, Senior Security Risk Consultant
Des Sengunlu, Senior Physical Protections Consultant
Outline
2
Outline
3
Introductions Evolution to PSPF
Observations Wholistic
system Security
risk A cyclical approach Benefits
Key takeaways Discussion
Our Three Key Presenters
4
Our Three Key Presenters
5
Jolyon Keegan Government
Portfolio Lead
Our Three Key Presenters
6
Jolyon Keegan Government
Portfolio Lead
Vern Amey Senior Security Risk Consultant
Our Three Key Presenters
7
Jolyon Keegan Government
Portfolio Lead
Vern Amey Senior Security Risk Consultant
Des Sengunlu Senior Physical
Protections Consultant
Our Background
8
Evolution of PSPF Risk-based Approach
Pre 9/11
9
Evolution of PSPF Risk-based Approach
Focus on risks associated
with foreign espionage
Pre 9/11
10
Pre 9/11
Evolution of PSPF Risk-based Approach
Focus on risks associated
with foreign espionage
Protection of Australian Government
information (aimed more at the higher
classification levels – primarily hard copy)
11
Evolution of PSPF Risk-based Approach
Focus on risks associated
with foreign espionage
Protection of Australian Government
information (aimed more at the higher
classification levels – primarily hard copy)
Government Agency security less
focussed on physical and personnel
measures
Pre 9/11
12
Evolution of PSPF Risk-based Approach
Focus on risks associated
with foreign espionage
Protection of Australian Government
information (aimed more at the higher
classification levels – primarily hard copy)
Government Agency security less
focussed on physical and personnel
measures
General Government
security policy
Pre 9/11
13
2001 – 2010
14
Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event
2001 – 2010
15
Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event
Australian Government security
policy became the Protective Security
Manual
2001 – 2010
16
Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event
Australian Government security
policy became the Protective Security
Manual
So were born the protective security
elements of Physical, Personnel and
Information security
2001 – 2010
17
Evolution of PSPF Risk-based Approach
Security risk focus broadened to include risks associated with protection against a high-impact event
Australian Government security
policy became the Protective Security
Manual
So were born the protective security
elements of Physical, Personnel and
Information security
Security risk mitigation
strategies became multi-faceted
2001 – 2010
18
Evolution of PSPF Risk-based Approach
2011
19
Evolution of PSPF Risk-based Approach
The threat and risk landscape
changes
2011
20
Evolution of PSPF Risk-based Approach
The threat and risk landscape
changes
Risk associated with cyber
intrusion become a major focus
2011
21
Evolution of PSPF Risk-based Approach
The threat and risk landscape
changes
Risk associated with cyber
intrusion become a major focus
Security risk again heavily focussed on Information
Security
2011
22
Evolution of PSPF Risk-based Approach
The threat and risk landscape
changes
Risk associated with cyber
intrusion become a major focus
Security risk again heavily focussed on Information
Security
The Australian Government completes
delivery of a revised security policy in the form of the Protective Security
Policy Framework
2011
23
Evolution of PSPF Risk-based Approach
The threat and risk landscape
changes
Risk associated with cyber
intrusion become a major focus
Security risk again heavily focussed on Information
Security
The Australian Government completes
delivery of a revised security policy in the form of the Protective Security
Policy Framework
2011
24
Agencies are to take a risk-based
approach to protective security
Evolution of PSPF Risk-based Approach
25
Our Key Observations
26
Our Key Observations
Cookie-cutter risk assessments
1.
27
Our Key Observations
Shelved risk assessments
2.
Cookie-cutter risk assessments
1.
28
Our Key Observations
Document present = tick
3.
Shelved risk assessments
2.
Cookie-cutter risk assessments
1.
29
Our Key Observations
Lack of security input to budgets
4.
Document present = tick
3.
Shelved risk assessments
2.
Cookie-cutter risk assessments
1.
30
Our Key Observations
Policy development in blissful isolation
5.
31
Our Key Observations
Security-in-depth overkill or controls
mismatch
6.
Policy development in blissful isolation
5.
32
Our Key Observations
Security as an opportunity/enabler, rather than an impost
7.
Security-in-depth overkill or controls
mismatch
6.
Policy development in blissful isolation
5.
33
Our Key Observations
A factor in all of these = risk
8.
Security as an opportunity/enabler, rather than an impost
7.
Security-in-depth overkill or controls
mismatch
6.
Policy development in blissful isolation
5.
Security is a Wholistic System
34
Security is a Wholistic System
35
Policies Physical Controls
Budgets
Incidents & Investigations Personnel
Controls
Information Controls Audit,
Assurance & Review
Plans
Risk as the system driver
36
Risk as the system driver
37
Establish the ‘Agency-specific’ threat context
Risk as the system driver
38
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Risk as the system driver
39
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Risk as the system driver
40
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Assess what the agency is doing right and what is missing from a protective security perspective
Risk as the system driver
41
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Assess what the agency is doing right and what is missing from a protective security perspective
Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
Risk as the system driver
42
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Assess what the agency is doing right and what is missing from a protective security perspective
Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
Define the pathway to developing wholistic security risk treatment strategies
Risk as the system driver
43
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Assess what the agency is doing right and what is missing from a protective security perspective
Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
Define the pathway to developing wholistic security risk treatment strategies
Agree that security risk management is good business sense
Risk as the system driver
44
Establish the ‘Agency-specific’ threat context
Determine risk tolerance
Identify criticality of assets
Assess what the agency is doing right and what is missing from a protective security perspective
Identify relationships between security risk, WH&S, emergency management, business continuity and enterprise risk processes
Define the pathway to developing wholistic security risk treatment strategies
Agree that security risk management is good business sense
When it’s all said and done, don’t walk away
Cyclical approach
45
Cyclical approach
Security risk assessment/security
risk review
46
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Higher planning/higher
planning updates
47
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Higher planning/higher
planning updates
48
Higher policy/higher
policy updates
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Higher planning/higher
planning updates
49
Higher policy/higher
policy updates
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Implementation
Higher planning/higher
planning updates
Higher policy/higher
policy updates
50
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Implementation
Operations
Higher planning/higher
planning updates
Higher policy/higher
policy updates
51
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Implementation
Operations
Higher planning/higher
planning updates
Higher policy/higher
policy updates
Investigations
Targeted reviews and audits
Incident data analysis
Projects/validation exercises 52
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Implementation
Operations
Higher planning/higher
planning updates
Ongoing security risk monitoring
Ongoing security risk monitoring
Higher policy/higher
policy updates
Investigations
Targeted reviews and audits
Incident data analysis
Projects/validation exercises
Ongoing security risk monitoring
53
Cyclical approach
Security risk assessment/security
risk review
Initial planning/planning
updates
Policy development/ policy review
Implementation planning
Implementation
Operations
PSPF annual assurance
Higher planning/higher
planning updates
Ongoing security risk monitoring
Ongoing security risk monitoring
Higher policy/higher
policy updates
Investigations
Targeted reviews and audits
Incident data analysis
Projects/validation exercises
Ongoing security risk monitoring
54
Benefits
55
Helps protective security in an organisation:
align with the risk-based approach intent of the PSPF
Benefits
56
Helps protective security in an organisation:
align with the risk-based approach intent of the PSPF
to be responsive to changing environment
Benefits
57
Helps protective security in an organisation:
align with the risk-based approach intent of the PSPF
to be responsive to changing environment
to remain relevant to executive management (risk owners)
Key Takeaways and Discussion
58
The component parts must interact – communication essential
Key Takeaways and Discussion
59
The component parts must interact – communication essential
Risk context is crucial – tailoring important
Key Takeaways and Discussion
60
The component parts must interact – communication essential
Risk context is crucial – tailoring important
Take a cyclical, wholistic approach driven by risk