ENTERPRISE SECURITY RISK MANAGEMENT SECURITY AND THE ISO31000 STANDARD?

Julian TalbotJakeman Business Solutions Pty Ltd

ISO 31000 Conference 21-22 May 2012

G31000 the Global Risk Management Platform

Once upon a time…

Pre-4360

AS/NZS 4360

31000

Integrated RM

4360(1995)

F earU ncertaintyD oubt

31000

ISO31000

• Principles• Framework• Process

Communication and

Consultation

Monitoring and

Review

Risk Assessment

Establish the Context

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Why ISO31000 works for Security?

Why ISO31000 works for Security?

• ‘Apples for apples’comparison:– taxonomy (eg: likelihood and consequence)– risk assessments by different assessors– Longitudinally– between divisions or other organisations– against environmental, safety, financial risks

• Better decisions and allocation of resources• Permission to add value• Ability to integrate methodologies

Communication and

Consultation

Monitoring and

Review

Risk Assessment

Establish the Context

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Enterprises…

• $30 billion budget• 120,000 people• 8,000 facilities• 41 Risk Criteria• 15 Divisions

www.riskebooks.comJulian Talbot (ASIS 2009) 8

Australian Trade Commission (Austrade)

• Assists Australian businesses to export• 1,400 staff in 60 countries• 120 offices including 22 Consular posts• $400 million annual budget

Understanding the risks

• Official sources including– Department of Foreign Affairs & Trade (DFAT)– National Threat Assessment Centre (NTAC)

• Open source and commercial providers• Internal capability

– Austrade posts and officers– Austrade Security Team

• Security Risk Assessments• Incident reporting

Terrorism

Source: Nationmaster.com

Assault

Source: Nationmaster.com

Fraud

Source: Nationmaster.com

Enterprise Security Risk Assessment (ESRA)

• Defensible, systematic and robust basis for decision making and planning

• Provide senior management with an assessment of current and emerging risks

• Inform the development and application of ongoing budgets and security measures

Enterprise Security Risk Assessment (ESRA)

• Whole of organisation/enterprise• Inform budget and systems planning• Known & emerging threats to the ‘business’

– Not location, activity or function specific

• ‘Enterprise Security Standards’– Based on location, activities and functions

Enterprise Security Standards

1 2 3 4 5

VC S M M M M-Crypt

IMG S M M M-Crypt

PMV S M M M-Crypt

Esp. S M M-Crypt M-Crypt M-Crypt

VC S1 S2 2343-R1 2343-R2 2343-R2IMG S 2343-R1 2343-R2 2343-R2PMV S 2343-R1 2343-R2 2343-R2Esp. S S M 2343-G0

VC M M M10 M11 M12

IMG M M M10 M11 M11

PMV M M M10 M11 M11

Esp. M M M10 M11 M12

10 Pick-resistant hardened

11 Pick-resistant hardened, controlled profile

12 Pick-resistant hardened, restricted profile, organisation-endorsed

THREAT LEVELS

Intruder Alarm System

Window Treatments

Locks

Results…

• Austrade:– 5 year $60 million security plan– Robust, well documented analysis– Business case - AUD$18.4 billion exports with

Austrade assistance (vs $12M p.a. on security)• Defence– 5 year $300 million security plan– Included - $120 million existing treatments

• Finance– 3 year $2 million security plan– Proportional - to the agency

Last points…

1. All SR Managers2. Something free?3. Business card?4. Been robbed? 5. Been a robber? 6. Illegal drugs?7. Been to Africa?8. Papua New Guinea?9. Motorcycle license?

Last points…

1. All SR Managers2. Be prepared3. Time critical4. Emotional decisions5. Red teaming6. 15% of the economy7. It’s personal!8. Big risk taker!9. HUGE risk taker!

THANK YOU

Contact me at:julian.talbot@jakeman.com.au

Download this presentation from:www.jakeman.com.au