risk analysis and the security survey 3rd edition n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Risk Analysis and the Security Survey 3rd edition PowerPoint Presentation
Download Presentation
Risk Analysis and the Security Survey 3rd edition

Loading in 2 Seconds...

play fullscreen
1 / 25
rhea-cook

Risk Analysis and the Security Survey 3rd edition - PowerPoint PPT Presentation

89 Views
Download Presentation
Risk Analysis and the Security Survey 3rd edition
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Risk Analysis and the Security Survey 3rd edition Chapter 12 Mitigation and Preparedness

  2. Comprehensive Emergency Management • Originated in public sector planning • Integrated approach • Addresses the treatment of risk • Consists of four components • Mitigation, preparedness, response and recovery

  3. Mitigation • Sustained action that reduces or eliminates risk • Can reduce occurrence of a hazard • Cost-effective • Cost of Mitigation – Benefit avoids losses • (Federal Emergency Management Agency) FEMA methodology • Geared toward regional planning not for individual businesses

  4. Mitigation • Four major steps in FEMA’s Risk Mitigation Methodology: • Organize resources • Assess Risks • Develop mitigation plan • Implement plan and monitor progress

  5. Mitigation • Corporate Model Similar to FEMA • Identify hazards • Devise strategies • Select cost-effective solutions • Implement solutions

  6. Mitigation- Hazard Identification • Historical events and conditions • Predict impact of past events • Recurrence rates • Libraries • HistoriansNewspapers • Declared disasters • Land use permits and geological reports • Internet • Insurance companies • Community experts

  7. Mitigation – Hazard Identification • Inspections • Use macro and micro view • Community hazards • Cause and effect • Collateral or synergistic damage • Experienced Inspector

  8. Mitigation – Hazard Identification • Checklists • Used to check completeness • Should not be the only tool used • Should answer: • How can employees be injured? • How can critical systems and assets be damaged or attacked? • What single points of failure exist? • What hazards can disrupt operations? • How will hazards affect the environment?

  9. Mitigation –Hazard Identification • Process Analysis • Used for complex operations • Hazard and Operability (HAZOP) • Failure Mode and Effects Analysis (FMEA) • Preliminary Hazard Analysis (PrHA)

  10. Mitigation - Hazard Identification • Hazard and Operability (HAZOP) • Deviation of a process from its designed intent • Guide words • Qualify or quantify the design criteria to identify deviations • “no,” “more,” “as well as,” and “other than,” • Consequences mapped

  11. Mitigation – Hazard Identification • FMEA • Identifies relative risk of process design • Risks are rated related to each other using RPN • Assigns Risk Priority Number for each failure mode and its resulting effects • PrHA • Inventory system of hazards and risks • Develops expected loss rate

  12. Mitigation – Hazard identification • Take the data from previous steps • Cause and Effect • Anticipate the unexpected • Scenario planning • Devise strategies based on future variables • Use mindset of the ‘enemy • Technical weakness that can be exploited

  13. Mitigation – Hazard Identification • Methodology - Department of Homeland Security • Four modes to hazard identification • Application mode – the hazard • Duration • The length of time the target is affected by the hazard • Dynamic and static characteristics • Tendency of the hazard to change in relation to time, magnitude or area at risk • Mitigating and exacerbating conditions • Conditions that reduce or increase the hazard

  14. Mitigation – Hazard identification • When identifying vulnerabilities and threats address the following • Inherent vulnerability • Threats due to nature of the target • Tactical vulnerability • Threats due to the presence or absence of protective measures

  15. Mitigation – Hazard identification • Identify inherent and tactical vulnerabilities through: • Visibility • To the public and attackers • Utility • Accessibility • Asset mobility • Hazardous materials • Collateral damage • Occupancy • Threats are ranked to determine criticality

  16. Mitigation Strategies • Mitigation strategies • General and specific • General strategies classified as: • Risk Management • Mitigating a risk is the most effective control • Engineering controls • Eg. CPED

  17. Mitigation Strategies • Regulatory controls • Fire Safety codes • Often revised after a disaster • Administrative controls • Policies and agreements • Service agreements • Contractual agreements with 3rd party providers • Redundancies and divergence • Separation of process or hazards • Keep critical data, personnel, equipment and process away from hazards

  18. Mitigation Stratergies • Specific mitigation can include: • Alternate power sources • Most common ‘disaster’ • Surges, spikes drops in power • Uninterruptible Power Supply • Multiple grids • Redundant power lines • Backup generators

  19. Mitigation Stratergies • Alternate communications • Service and replacement agreements • Some vendors offer 24-hour replacement agreements • Bypass circuits and fax lines • Bypass main lines to backup facility • Divergent routing • Many modes for data transmission – wired wireless, fiber, cable, microwave, satellite • Cellular backup • Satellite systems • Hot / cold sites • Third party call centers

  20. Mitigation Stratergies • Policies and procedures • Data back-up policies • Data backup strategies • Daily incremental • Full backup • Archiving • Data taken off site • Offsite facility must be monitored and audited

  21. Mitigation Stratergies • Records Management • Loss of records major risk • Businesses fail to recover after a disaster if they loose records • Loss could bring criminal sanctions • Vital records important to continued operations

  22. Mitigation Stratergies • Facilities salvage and restoration • Consequences of a fire or flood • Services available • Restoration can save up to 75% over replacement costs • Time to replace is also greater than restoration • Pre-registration • Restoration company performs inventory of assets

  23. Mitigation Stratergies • Cost-effectiveness of mitigation • Solutions must be: • Cost-effective • Technically feasible • Not create additional hazards

  24. Mitigation and Preparedness Preparedness • Steps taken to enable response • Important component of CEM • Have plans and resources in place, keep them updated and test • Capability to manage and respond to an incident

  25. Mitigation and Preparedness Preparedness • Emergency Supplies for employees • stranded at work • Involved in recovery operations • Minimum 72 hour supply • Contents of cache • Spare parts • Service level agreements • Mutual agreements with competetiors • Justification