Impact of Enterprise Security Risk Assessments on Integrators & Manufacturers. J. Kelly Stewart Steve Oplinger James Marcella

Transcription

1 Impact of Enterprise Security Risk Assessments on Integrators & Manufacturers J. Kelly Stewart Steve Oplinger James Marcella 1

2 Session Description What exactly does a risk assessment mean to the integrator and manufacturer community? So often risk assessments are overlooked and not received as an essential piece of the project process. Collaboration with each of the essential elements of the business from the installation and implementation of the solution to the overall operation get neglected resulting in lost revenue and lack of actual fulfillment of what the customer actually needs. Ensuring manufacturers and integrators are intertwined in the overall process ensures that at the end of the day, the customer gets exactly what is needed and prescribed. Session attendees will review the procedure to prepare action plans and gain insights to recommend appropriate product and solutions as well as formulate appropriate budgets so they are seen as a value added resource. Participants should have general understanding of risk, threats and vulnerabilities before attending this session.

3 Impact of Enterprise Security Risk Assessments on Integrators & Manufacturers Learning Objectives The considerations, impacts, and issues that are solved when manufacturers and integrators utilize a risk assessment to its fullest potential. Examine Leverage and understand Risk assessment findings to appropriately plan, prepare and budget for a well-designed and effective physical protection system (PPS). Proven practices that will assist the manufacturers, integrators and security risk consultants fulfilling customer needs by understand, deciphering and properly utilizing risk assessments. Explore

4 James Marcella is the director of technical services for Axis Communications. In this role, Mr. Marcella oversees technical support, educational services and information technology for North American operations. He also serves on the steering committee for Axis Communications Academy, a global technical training program for Axis partners and resellers. Mr. Marcella joined Axis in 1997 as a business development manager. In this position, he managed the company s Application Developer Partner program for North America, finding best-of-breed software developers to create applications specifically for Axis network video products. He later served as the government solutions manager and was responsible for developing the company s authorized dealer channel and growing business in the federal market. James Marcella Director of Technical Services Axis Communications Mr. Marcella has represented Axis at a number of high-profile events, including ISC West, ASIS and TechSec. He is an instructor for ASIS national education program. Mr. Marcella writes a quarterly column for SecurityInfoWatch.com and is often quoted in a variety of security and IT industry publications, including Federal Computer Week, SDM and Security Systems News. 4

5 Mr. Oplinger has been active in the security industry for over 25 years. He currently holds the position of Systems Design manager for a midsized integrator in Florida, which he has held for the past 10 years. Mr. Oplinger is a member of both The Security Industry Association (SIA), and ASIS International, and has been a member of the ASIS Physical Security Council for the past 16 years. He currently holds the position of Chairman for the ASIS PSC. He is a nationally known speaker for both ASIS and SIA, delivering programs on both the National and Regional levels. Steve S. Oplinger Systems Design Manager Integrated Fire and Security Solutions, Inc In addition, Mr. Oplinger was instrumental in the writing of the Certified Security Project Manager (CSPM) Book of Knowledge and corresponding workshop, which he teaches for SIA. He sits on numerous committees within the security industry concentrating on security standards and methodologies. 5

6 J. Kelly Stewart is Managing Director & CEO of Newcastle Consulting, LLC - an Enterprise Security Risk and Information Management Consultancy with more than 25 years of public and private experience as seasoned international security practitioner in leading multi-national security management operations focused on Integrated, Enterprise Security Risk Management Programs; Comprehensive Risk, Threat, & Vulnerability Assessments; Security Master Planning; Facility Security Design; and Intelligent Command Centers. We encourage and enable executives to focus their organizations on core competencies where they can achieve definable advantages and add value to their client base thus facilitating and protecting strategic advantages they have in the marketplace. Our belief is in proactive, predictive, and responsive advice and access to information critical to building a companies' resilience to operational risk thereby protecting its people and assets. J. Kelly Stewart Managing Director & CEO Newcastle Consulting, LLC I concentrate on a systematic, prevention-based methodology that emphasizes the four cornerstones of the company: Strategy, Planning, Preparation and Execution. We pursue Excellence because: Excellence is an art won by training and habituation. We do not act rightly because we have virtue or excellence, but we rather have those because we have acted rightly. We are what we repeatedly do. Excellence, then, is not an act but a habit. Mr. Stewart is the former Chief Security Officer/Director of Safety and Security of Intelsat Corporation, a $3 billion satellite service provider. He has further managed and led physical security operations for both CACI and Deloitte. He served a distinguished tenure with the United States Secret Service coordinating advance operations in the areas of technical security, intelligence information, threat identification and planning, and emergency evacuation operations. He has been a key advisor to the Chief of Defense Nuclear Security on matters of security policy and special projects, concentrating on physical security systems design and operations, vulnerability assessments, technology applications and security management. 6

7 7

8 The Manufacturer James Marcella Director of Technical Services Axis Communications 8

9 Manufacturer Considerations Assess Asset Value Cost Analysis Analyze how mitigation options affect asset criticality and risk Assess Vulnerability Assess Risks Identify Mitigation Options Decision Risk Management Assess Th reats Benefits Analysis Analyze how mitigation options change vulnerability and risk Figure 1.1 Risk Analysis Flow Chart, ASIS PSP Review Guide 9

10 Options to Mitigate: Video Surveillance Deterrence Forensic Assessment

11 Market Needs Drive Product Portfolio Re-Purposing Technology Criticality: Innovation & Premiums High Probability: Commoditization

12 The Impact of Innovation Learning Curve Disruptive Technology Drives Change Evolving Skill Set Traditional Business Models Challenged Project Management & Specialization

13 Manufacturer Differentiation Product Quality Professional Services Tools Solutions Warranty 13

14 The Integrator Steve S. Oplinger Systems Design Manager Integrated Fire and Security Solutions, Inc 14

15 Work with Suppliers Defined for The Client 15

16 What has to be Considered from using a Risk Assessment as a tool? Feasibilities Are the Expectations Real? Design Does the Design meet the Need? Cost/Expense Does the Design meet the Budget

17 Impacts: How does the Risk Assessment figure into the overall plan? Technology Manpower Budgets

18 The Got-Ya s Coordination of Disciplines Operational Considerations Stop Gap

19 The Security Consultant J. Kelly Stewart Managing Director & CEO Newcastle Consulting, LLC 19

20 20 What considerations go into a Comprehensive Risk, Threat & Vulnerability Assessment?

21 Our Roadmap 8. Deliver Value to create A Business Partnership 1. Establish a Trust Relationship 7. Oversee s construction and commissioning 2. Help Client Solve Security Problems 3. Determines & Interprets Owner Input/scope 6. Identifies and justifies security s value and designs programs 5. Integrates systems and programs: people, process, technology, operations and procedures 4. Identifies and interprets security requirements, constraints and culture into a complete security system and program

22 Manage the protection of an organization s enterprise-wide assets, enabling the business to advance its mission Provide consistent identification, evaluation, and treatment of security risks to mitigate potential impacts to the business and prioritize protective activities. Establish organizational policies, procedures, best practices, and capabilities to identify and manage security risks to the enterprise in an effective, consistent, and efficient manner.

23 What is Enterprise Security Risk Management and why is it important to not only understand it but see how it is critical to the RTVA process? Quantifies Establishes Identifies Manages Threats Mitigation Plans Risk Acceptance Practices Incidents LOGO

24 ESRM Principles Identification and Valuation of Enterprise s Assets Intelligence Gathering Develop Risk Treatment Plans Continuous Improvement Identify Security Vulnerabilities and Risks to each Asset Resources Security Risks Root Cause Analysis and Post Mortem Newcastle Consulting, LLC Prioritize the Security Risk and the Security-Risk Relationship with each Asset

25 Risk Assessment Process The External Context The Internal Context The Risk Management Context Develop Criteria and Define the Structure Establishing the Context Risk Assessment What Can Happen, When, Where, How, & Why Asset Identification, Valuation and Characterization Threat/Opportunity, Vulnerability/Capability & Criticality/Impact Analysis Identify Existing Controls Determine Likelihood Determine Consequences Determine Level of Risk Compare the Criteria Set the Principles Consider Tolerance and Acceptability Communication & Consultation Risk Identification Risk Analysis Risk Evaluation Treat Risk No Monitor & Review Identify and Assess Options Avoid? Share? Exploit? Reduce? Accept? Prepare and Implement Treatment Options Analyze & Evaluate Residual Risk Yes Risk Treatment

26 Effective, Efficient Security Project Analyze the Situation Determine the Needs the solution provides Design the Means to the ends Integrate the pieces of the project Implement the project/solution Operate the system / solution

27 Envision: Which assets need to be protected from which threats? Translate: How will we reduce our risk? Communicate: Who do we need to communicate with and how best to do it? Evaluate: Look at various solutions Anticipate: Look forward to possible means of circumventing your solutions Execute: Design and install best solution Operate: Make it work as envisioned 27

28 28

29 James Marcella Director of Technical Services Axis Communications Cell: (978) Steve S. Oplinger Systems Design Manager Integrated Fire and Security Solutions, Inc Cell: (239) J. Kelly Stewart Managing Director & CEO Newcastle Consulting, LLC Cell: (202)