In December 2011 James Willison, pictured, (founder of Unified Security and vice-chair of ASIS European Security Convergence sub-committee) began working with Dr Simon Oxley, MD of Citicus Ltd to develop and promote aspects of an established IT risk management tool, Citicus ONE for physical security managers.
Citicus had already started to help some of its customers, including E.ON and the Government of British Columbia to apply the software-based methodology to physical security risks. Willison is convinced that the tool can really help security managers in the physical and converged space. Today the physical security manager is faced with many complex risks and needs to identify those which are most important if he or she is to effectively manage a site’s security. Often reliant on their own experience, security managers can find it difficult to establish an objective and consistent risk register especially when there are numerous sites and assets to assess and manage. Risk assessments and reports are often produced using spreadsheets or word processors and are frequently incomplete, out-of-date or mislaid – so the need for an efficient automated and centralised process is clear. Risk assessments should be easy to produce and maintain with the ability to correlate these across multiple sites. We only have to look at current news stories to see that few managers effectively manage security risk. But this doesn’t need to continue.
Increasingly systems are networked and the technology risks are less familiar to the physical security specialist. Hence there are also the issues of multiplicity of risks and the blended threat. In many organisations physical security and information security are managed by two separate departments. The recent ASIS Europe/ISAF survey indicates that 57 per cent of security professionals think convergence is important because of the blended threat. The awareness that people are able to exploit technology to their advantage has led Information Security leaders to join forces with traditional security professionals and develop strategies designed to combat these new risks. For some security managers, this kind of collaboration is pretty familiar but for others it is not in their scope. However the benefits of a common reporting process are clear, as the need for all areas of security to work together becomes more obvious. As those who wish to protect our organisations from harm it is vital that we prevent serious damage to assets, both tangible and intangible.
Citicus ONE enables you to identify security risks from all areas efficiently and ensure that you can prioritise these. You can focus on physical security management and measure the risks you face or widen its scope to include the IT areas. It has also been optimised for use at SCADA sites and incorporates the relevant standards and policies. This kind of risk assessment is a key convergent process because managers responsible for risk can consider those which need their attention. It also saves time and avoids duplication whilst warning an organisation that certain assets are more likely to suffer harm than others. Objective risk identification gives you more control of asset protection and the risks to continued security.
Citicus ONE is therefore an effective way of helping you protect the business when the threats are increasingly complex.
Citicus’ software can also provide the foundation for an automated physical asset protection management system (PAPMS) as specified by the newly published ANSI/ASIS PAP.1 2012 standard. Willison and Oxley worked in the Convergence Team for the standard which is the first to highlight the importance of Security Convergence. The ANSI/ASIS PAP standard defines a framework that helps practising security managers to apply and manage physical security measures to safeguard an organisation’s people, property and information. The standard strongly promotes the convergence of risk management activities across an organisation through a cross-functional risk assessment and management system that identifies, evaluates and resolves all security risks within a singular, managed process.
So what can be done? Citicus ONE can be used to help you identify your assets and establish the potential harm they face from incidents. It then enables a security manager to assess a range of risk factors, including the current status of the controls in place and any past history of incidents. Site security controls can be measured against recognised standards and company policy. Graphical reports highlight key risk metrics and can be used to identify remedial action needed to reduce risk or ensure compliance with corporate or regulatory requirements. As this information is stored centrally either internally or using Citicus’ secure hosting service, it can be easily provided to senior management, auditors or external regulators if require. Willison and Oxley think that Citicus ONE could be of significant value to many physical security managers as they come under increasing scrutiny to provide acceptable processes and metrics which give clear evidence of their risk management strategy. Can you confidently assure your executive team that you have this kind of process in place which correlates security risk across the business? If not then please get in contact with James Willison and Simon Oxley who would be delighted to advise you further.
James Willison: http://www.unifiedsecurity.net; [email protected]
Simon Oxley: http://www.citicus.com; [email protected]
