Security Risk Management – More Than Just Risk Assessment

Thursday, December 22, 2011

Source: Infosec Island

In an article in the December edition of the ACC Docket, entitled “Disciplined and Practical Risk Management”, Jim Jackson, General Counsel of Medair, discussed risk management in the non-profit arena, focusing on his experiences on this issue during his tenure at Medair.

Medair is an entity which “brings life-saving relief and rehabilitation in disasters, conflict arenas and other crisis by working alongside the most vulnerable in Africa, Asia and other areas with extraordinary need.”

This relief and rehabilitation includes the areas of “health, nutrition, water, sanitation, hygiene and shelter.” After becoming involved with the non-profit in 2010, he instituted a risk management system which included a risk assessment program and linking of this risk assessment “into what we do and to manage that effectively.”

His approach is one that can be used for any risk portfolio which a company may carry, including an anti-corruption risk based upon the Foreign Corrupt Practices Act (FCPA).

Risk Assessment

Jackson believes that many risks are similar across different organizations, both for-profit and non-governmental organizations (NGOs), like Medair. Therefore, by reviewing other risk assessment programs, it was possible for him to create a measurement of risk for his client.

The risks for Medair include “revenue stream, portfolio fulfillment, staff security, attracting and retaining staff, fraud and business continuity.” To determine the specific risks for each, Jackson led a series of interviews. He cautioned that it must be the “right people in the room.”

That is, the ones with the experience who can answer the questions related to risks the entity faces. After feedback from the interviewees, Jackson pared the initial list into a “more specific set of causes of risk and the precise areas to monitor and track.”

From this exercise, Jackson developed “probability and impact definitions and then labeled and described the specific risk.” They are as follows:

PROBABILITY

Probability Rating        Assessment
Greater than 10%           Very Likely
Less than 10%               Possible
Less than 5%                 Unlikely
Less than 1%                 Rare

IMPACT

Priority Rating           Impact Rating
1                                    Critical
2                                    Significant
3                                    Moderate
4                                    Insignificant

Risk Management

However, the risk assessment and ranking is only the first step. Jackson said that “ongoing communication is key to the effectiveness of risk mitigation.” For Medair, this communication begins when it charts its risk assessments using the above metrics at the quarterly meeting of the Executive Leadership Team (ELT), where risk “mitigation strategies are also analyzed for effectiveness.”

These strategies include “making sure that resources are allocated to mitigation actions”, and the all parts of the organization are in communication with each other regarding these actions. All of this is then reviewed at the next quarterly ELT meeting.

However, for Jackson the primary key is that risk management must be linked to the organization’s purpose and goals. Your company must to be disciplined; it cannot simply develop a risk assessment and then not use it to look at risk generally. As important as systems are, they must be “practical and linked” to what your company does.

The Medair risk management system provides an excellent example of the tools available to the compliance practitioner. The Department of Justice identifies a risk assessments and its use in a minimum best practices program.

Further your risk assessment should inform your compliance program and not vice-versa. The Medair method of assessing risk and then managing from that assessment provide an example of an ongoing process for an overall risk management process for a company under the requirements of the FCPA.

Cross-posted from Tom Fox Law

Copyright 2009-2011 Respective Author at Infosec Island

Drug Dealer's 4X4 Becomes Crime Prevention Weapon

Date: Thursday, December 29, 2011 Source: Cliff Caswell - Security Oracle

A deluxe 4X4 seized from the proceeds of a convicted drug dealer is being used by Kent Police vehicle to deter other would-be criminals, it has emerged.

The Range Rover Sport – reclaimed under the Proceeds of Crime Act – has been branded with anti-crime messages and is being parked up where warrants are being executed. And after the previous owner was sent to prison for 18 months, officers said that the luxury car would make other offenders realise how much they too could lose.

As well as being used to highlight where warrants are being executed, the vehicle has also been involved in a tour of prisons in the Force area and parked at other high-profile locations.

According to Kent Police, some £3.7 million was ordered for seizure from convicted criminals through Confiscation Orders between April and November 2011.

DI Mark Fairhurst of the Kent and Essex Serious Crime Directorate emphasised that reclaiming the spoils of criminality remained a priority for officers.

He added: "Criminals may believe they are becoming smarter at hiding assets but investigators will bring them before the courts to recover the proceeds from their criminal behaviour.

"Not only does POCA take the money out of criminals' pockets and stop them using it to commit offences, it is put back into policing to reinvest in initiatives to reduce crime."

Under POCA proceedings, offenders are given a set time to pay orders. Forces work closely with the Court Enforcement Unit to ensure offenders are held to account within the time given.

Around £9m was recovered by Kent Police through the Act last year and £1.6 was handed to Kent Police under the Home Office's Asset Recovery Incentivisation Scheme.

This was the second highest figure in the UK and the highest ever for Kent.

Cliff Caswell - Security Oracle

Update by Paul


There are two cars outside New Scotland Yard which were uninsured and seized by the Met Police

Photographs by Master B Bell

Cyber Security - Hacked Stratfor Security Think-Tank Keeps Site Offline

Date: 29 December 2011 

Source: BBC News

Hacked US security firm Stratfor has told its subscribers that it may take a week or even longer to restore its website. The site went offline on 24 December.

Hackers have posted credit card details, email addresses, phone numbers and encrypted passwords which they said were taken during the attack.

Participants in the hacktivist group Anonymous are

 using Twitter to provide more detail 

about the attack

Stratfor has said it will pay for a credit card fraud protection service for members whose payment details might have been compromised by the breach.

Tweets posted on accounts linked to the hacktivist group Anonymous said that the US Department of Defense, the defence firm Lockheed Martin and Bank of America were among Stratfor's clients.

A recent message posted by @YourAnonNews added that other parties affected by the hack included Google, American Express, Coca-Cola, Boeing, Sony, Microsoft and the mining group BHP Billiton.

Protection
An email from Stratfor to its subscribers said: "At our expense, we have taken measures to provide our members whose credit card information may have been compromised with access to CSID, a leading provider of global identity protection and fraud detection solutions and technologies.

"We have arranged to provide one year of CSID's coverage to such members at no cost.

"As part of our ongoing investigation, we have also decided to delay the launching of our website until a thorough review and adjustment by outside experts can be completed."

The identity theft prevention service Identity Finder has carried out its own analysis of details posted online about hacked clients whose names fell between A and M. It suggested that the attack netted:

• 9,651 unexpired credit card numbers
• 47,680 unique email addresses
• 25,680 unique telephone numbers
• 44,188 encrypted passwords of which roughly half could be "easily cracked"

This list is expected to grow if the hackers publish details of the N to Z list.


Donations

A tweet posted to the account @AnonymousIRC on 25 December claimed that $1m (£650,000) had been taken from the hacked accounts and had been given to charity.

Participants in Anonymous have subsequently posted screenshots which allegedly show money being transferred to the charities Red Cross, Save the Children and Care.

The organisations will have to return the money if credit card owners report the charges as being unauthorised. Some supporters of the Anonymous movement have also expressed concern that the charities could theoretically be charged a fee for the return of the transactions.

Anonymous Twitter accounts have also hinted that the hackers planned to release details of emails harvested in the breach, adding that "Stratfor is not the 'harmless company' it tries to paint itself as.

Stratfor could not be reached for comment. However a video posted by Fred Burton, its vice president of intelligence, to YouTube promised to provide updates "as more details become available" and offered details about the credit card protection scheme.

BBC News

Press Release: Security Research Initative Survey Launched

A major study of the UK security sector has been announced today. It is supported by the UK's leading security associations and is being undertaken by researchers at Perpetuity.

Those working in the security sector are being invited to complete an on-line questionnaire that addresses the state of the security sector and specifically the potential impact of both changes to regulation and the recession.

Three groups are being invited to compete the survey, they are:

1. Directors and Managers of a company providing security goods and/or services
2. Buyers of security goods and/or services (e.g. Security Managers/Directors of corporations and public/voluntary bodies, Facilities Managers and Procurement specialists).
3. Security officers or supervisors of security officers who undertake security guarding duties. This covers static and patrolling duties protecting company assets, Cash and Valuables in Transit work, Close Protection, Door Supervision, Public Space Surveillance (CCTV), Immobilisation, restriction and removal of vehicles and Key Holding.

The survey should take no more than 20 minutes to complete. It can be accessed at:

https://www.surveymonkey.com/s/SRI-Security-Survey

The deadline for responses is the end of January 2012.

Professor Martin Gill, who is head of Perpetuity Research, which is leading this study as part of the 'Security Research Initiative' stated:

'This could be the largest survey of the security sector ever undertaken, and we would encourage individuals to take part. This is a rare opportunity to gain insights into what people are really doing, and what they really think about what is happening in security. The survey is anonymous, no names of individuals or companies are recorded. The findings will be made available free of charge, so do please complete it.'

Questions and queries should be addressed to:

Professor Martin Gill

0116 222 5555
prci@perpetuitygroup.com

Further information on the Security Research Initiative can be found on our website: http://www.perpetuityresearch.com/sri.htmlhttp://www.perpetuityresearch.com/sri.html

National Day of Protest UK Uncut Christmas Special, Information for Businesses From the Met Police

UK Uncut has recently announced an event entitled ‘Christmas Special’, which is being promoted to take place on Saturday, 17 December 2011 between 1300 hours and 1700 hours. The stated aims of this protest are to highlight the government austerity measures and non payment of tax. It is their intention to target high street retail business premises. Recent events have shown that this has predominately taken place in Central London. We would advise all retail sectors within Greater London to consider the following guidance, which is by no means exhaustive.

The Metropolitan Police Service is fully aware of the potential impact of any major event on the local business community and is well equipped to deal with events like this. We have an appropriate and proportionate policing plan in place and are working closely with our strategic business partners to ensure that any disruption is kept to a minimum whilst at the same time aiming to police and facilitate peaceful protest.

The following guidance has been produced to help businesses to prepare for any incidents which may arise as a result of this activity in the Metropolitan Police Area.

Keep up to date with latest information

For live updates on the progress of this event you can also subscribe to the official free police community

messaging system at www.neighbourhoodlink.met.police.uk

Follow the MPS updates on the day on Twitter @CO11metpolice

Contact numbers

In the event of an emergency call the emergency number 999.

In the event of a situation that does not require an emergency response, please call 101 (calls to 101 from landlines and mobiles cost 15 pence per call, no matter what time of day you call or how long your call lasts).

If you have information about crime, you can also call Crimestoppers anonymously on             0800 555 111      .

Security Advice

Ensure that all staff are fully briefed. Security officers, where possible, should have a visible presence at premises. It would be advisable that a senior manager make himself/herself identifiable to police in the event of an incursion into your business premises. Ensure that your exit/entry points are monitored and that you are able to lock and secure any points of entry if required to do so.

Be alert to large groups forming outside of business points of entry and ensure staff remain vigilant and report any suspicious activity to security and/or police. Check that your emergency equipment supplies and radio communications systems are stocked and fully operational at all times.

Crime

If you identify any unusual markings on your building please report immediately to police. If crime is committed or an incursion takes place in your premises consider the preservation of evidence, where possible, on the advice of police.

Ensure CCTV coverage is fully operational and can provide the highest possible recorded resolution.

What you can expect to see

You may notice officers outside some premises this is because during recent protests some buildings have been targeted and damaged. The officers are there to protect these buildings and to assist those inside to go about their daily business and to deal with any incidents of crime and disorder. All officer will be uniquely identifiable by a series of numbers, letters or both which will be visible on their outer clothing.

Update - Your chance to win a iPad 2: Cybersecurity Conference & Expo – Washington, DC (10% discount via Chatback Security)

3rd December Update:

We wanted to give you an exciting new update about a new promotion where people can receive a 10% discount off their Cybersecurity Conference registration. Plus- if registrants attend the event on Thursday, Dec. 8, they'll be entered to win an iPad 2! Click here for more information http://on.fb.me/GovCyberiPad

Previous Message:

The Cybersecurity Conference and Expo is coming up on December 8-9 in Washington, DC - delivering in-depth training for government practitioners and essential networking opportunities with government and industry leaders at the forefront of cybersecurity initiatives.

It will bring together government and private industry to learn about advanced technologies and strategies addressing global information security threats.

The 2-day conference will offer insights and education on topics including: 

• The latest threats and solutions, risk mitigation, cyber espionage and the pillaging of American technology
• The business aspects of cyber - calculating ROI, cybersecurity investment strategy, education and training

The full brochure is available here.

A great list of industry experts -
click to expand (then you might be able to read it!)

Are you prepared to tackle the evolving cyber threats? The Cybersecurity Expo provides unique solutions for government agencies to manage cybersecurity programs and mitigate the risks of cyber attacks.

This looks like a fantastic opportunity to meet industry experts and to keep upto date on the latest technology and threats in the cybersecurity arena.

It's too far for me to travel unfortunately but if you are interested in attending you can receive a 10% discount via here.

GCHQ attracts wannabe spies with viral cryptography

The GCHQ -- Britain's secretive agency of intelligence experts wants to find new spies. To make sure it has a candidate who's up to scratch, the agency is inviting hobbyist cryptanalysts to try and break a code online.

A website called "can you crack it" is being spread via a viral campaign around social networks like Twitter and Facebook. The site shows a seemingly-senseless jumble of 160 pairs of numbers and letters, and a box to enter some kind of answer.

By: Mark Brown, Edited by: Duncan Geere

Continue reading...