1 / 25

Risk Analysis and the Security Survey 3rd edition

Risk Analysis and the Security Survey 3rd edition. Chapter 12 Mitigation and Preparedness. Comprehensive Emergency Management. Originated in public sector planning Integrated approach Addresses the treatment of risk Consists of four components

rhea-cook
Download Presentation

Risk Analysis and the Security Survey 3rd edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis and the Security Survey 3rd edition Chapter 12 Mitigation and Preparedness

  2. Comprehensive Emergency Management • Originated in public sector planning • Integrated approach • Addresses the treatment of risk • Consists of four components • Mitigation, preparedness, response and recovery

  3. Mitigation • Sustained action that reduces or eliminates risk • Can reduce occurrence of a hazard • Cost-effective • Cost of Mitigation – Benefit avoids losses • (Federal Emergency Management Agency) FEMA methodology • Geared toward regional planning not for individual businesses

  4. Mitigation • Four major steps in FEMA’s Risk Mitigation Methodology: • Organize resources • Assess Risks • Develop mitigation plan • Implement plan and monitor progress

  5. Mitigation • Corporate Model Similar to FEMA • Identify hazards • Devise strategies • Select cost-effective solutions • Implement solutions

  6. Mitigation- Hazard Identification • Historical events and conditions • Predict impact of past events • Recurrence rates • Libraries • HistoriansNewspapers • Declared disasters • Land use permits and geological reports • Internet • Insurance companies • Community experts

  7. Mitigation – Hazard Identification • Inspections • Use macro and micro view • Community hazards • Cause and effect • Collateral or synergistic damage • Experienced Inspector

  8. Mitigation – Hazard Identification • Checklists • Used to check completeness • Should not be the only tool used • Should answer: • How can employees be injured? • How can critical systems and assets be damaged or attacked? • What single points of failure exist? • What hazards can disrupt operations? • How will hazards affect the environment?

  9. Mitigation –Hazard Identification • Process Analysis • Used for complex operations • Hazard and Operability (HAZOP) • Failure Mode and Effects Analysis (FMEA) • Preliminary Hazard Analysis (PrHA)

  10. Mitigation - Hazard Identification • Hazard and Operability (HAZOP) • Deviation of a process from its designed intent • Guide words • Qualify or quantify the design criteria to identify deviations • “no,” “more,” “as well as,” and “other than,” • Consequences mapped

  11. Mitigation – Hazard Identification • FMEA • Identifies relative risk of process design • Risks are rated related to each other using RPN • Assigns Risk Priority Number for each failure mode and its resulting effects • PrHA • Inventory system of hazards and risks • Develops expected loss rate

  12. Mitigation – Hazard identification • Take the data from previous steps • Cause and Effect • Anticipate the unexpected • Scenario planning • Devise strategies based on future variables • Use mindset of the ‘enemy • Technical weakness that can be exploited

  13. Mitigation – Hazard Identification • Methodology - Department of Homeland Security • Four modes to hazard identification • Application mode – the hazard • Duration • The length of time the target is affected by the hazard • Dynamic and static characteristics • Tendency of the hazard to change in relation to time, magnitude or area at risk • Mitigating and exacerbating conditions • Conditions that reduce or increase the hazard

  14. Mitigation – Hazard identification • When identifying vulnerabilities and threats address the following • Inherent vulnerability • Threats due to nature of the target • Tactical vulnerability • Threats due to the presence or absence of protective measures

  15. Mitigation – Hazard identification • Identify inherent and tactical vulnerabilities through: • Visibility • To the public and attackers • Utility • Accessibility • Asset mobility • Hazardous materials • Collateral damage • Occupancy • Threats are ranked to determine criticality

  16. Mitigation Strategies • Mitigation strategies • General and specific • General strategies classified as: • Risk Management • Mitigating a risk is the most effective control • Engineering controls • Eg. CPED

  17. Mitigation Strategies • Regulatory controls • Fire Safety codes • Often revised after a disaster • Administrative controls • Policies and agreements • Service agreements • Contractual agreements with 3rd party providers • Redundancies and divergence • Separation of process or hazards • Keep critical data, personnel, equipment and process away from hazards

  18. Mitigation Stratergies • Specific mitigation can include: • Alternate power sources • Most common ‘disaster’ • Surges, spikes drops in power • Uninterruptible Power Supply • Multiple grids • Redundant power lines • Backup generators

  19. Mitigation Stratergies • Alternate communications • Service and replacement agreements • Some vendors offer 24-hour replacement agreements • Bypass circuits and fax lines • Bypass main lines to backup facility • Divergent routing • Many modes for data transmission – wired wireless, fiber, cable, microwave, satellite • Cellular backup • Satellite systems • Hot / cold sites • Third party call centers

  20. Mitigation Stratergies • Policies and procedures • Data back-up policies • Data backup strategies • Daily incremental • Full backup • Archiving • Data taken off site • Offsite facility must be monitored and audited

  21. Mitigation Stratergies • Records Management • Loss of records major risk • Businesses fail to recover after a disaster if they loose records • Loss could bring criminal sanctions • Vital records important to continued operations

  22. Mitigation Stratergies • Facilities salvage and restoration • Consequences of a fire or flood • Services available • Restoration can save up to 75% over replacement costs • Time to replace is also greater than restoration • Pre-registration • Restoration company performs inventory of assets

  23. Mitigation Stratergies • Cost-effectiveness of mitigation • Solutions must be: • Cost-effective • Technically feasible • Not create additional hazards

  24. Mitigation and Preparedness Preparedness • Steps taken to enable response • Important component of CEM • Have plans and resources in place, keep them updated and test • Capability to manage and respond to an incident

  25. Mitigation and Preparedness Preparedness • Emergency Supplies for employees • stranded at work • Involved in recovery operations • Minimum 72 hour supply • Contents of cache • Spare parts • Service level agreements • Mutual agreements with competetiors • Justification

More Related