Security, Risk, Safety and Resilience Newsletter - Week of 14 Apr 22
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 14 April 22.
Key themes for this week include:
------------------------------
Consideration of systems, structures, networks and mental models within the context of risk, safety, security and resilience routinely remains a superficial affair.
That is, what is most visible, tangible, recent or collectively agreed upon drives thinking or perceived understanding of the cause or origins of risk, harm, loss and damage.
In other words, when an event occurs, and the cause seems obvious and collectively agreed upon, there is little desire or apparent commitment to examine the underlying issues any further. In short, it's obvious... look no further!!
"This document provides guidance on #risk and uncertainty in the context of planning and forecasting expected demand and achieving defined outcomes. The approaches defined in this document complement existing methods of analysis described in the Assessment Framework to make the analysis more robust, most notably:
• Stage 1: Identify risks and uncertainties that are a key driver for the proposal. This may be particularly relevant where resilience is a driver for change.
• Stage 2: Review the proposal at a high level to identify exposure to risk and uncertainty, then develop options that consider and/or respond to it:
― identify and respond to risk exposure
― identify potential shocks and stresses (see the Overview volume)
― review option performance under shocks and stresses
― develop flexible investment strategies to respond to uncertainty.
• Stage 3: Apply the same principles as Stage 2 in further detail, to validate the approach and analyse the shortlisted options in detail. "
The application and outcomes or benefits associated with 'security' do not exist in a vacuum, nor should security tactics, mitigation or controls be applied in the absence of specific, considered and realistic threats.
In other words, security management is not the arbitrary deployment, purchase or management of security widgets, tech, people, processes or practices.
Evidence, analysis, assessments and risk measurement are mandated.
"Threat Hunting, often referred to as Incident Response without the Incident, is an emergent activity that comprises the proactive, iterative, and human-centric identification of cyber threats that are internal to an Information Technology network and have evaded existing security controls. Departments that operate a Threat Hunting capability will improve their security posture and hence reduce risk, as malicious activity can be identified earlier on in an attack, thereby minimising the opportunity for adversaries to disrupt, damage or steal. "
Recommended by LinkedIn
Threats to business, operations, people and profit never sleep. Risk is not static nor entirely visible, let alone completely measurable. As a result, continuity of business and service remains a 24/7 task that goes on into perpetuity.
That is, business continuity plans and planning are never finished nor perfect and must remain active, prepared and responsive day and night...forever.
Diffused and supporting elements such as crisis management, risk management, customer support, operations and finance create a modern maelstrom of information, data and knowledge which in turn creates challenges in distinguishing the signals from the noise.
"...the Security Risk Assessment Tool 3.0 (SRA Tool), designed to help covered entities and business associates that handle patient information to identify and assess #risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information (PHI) in their environment. The HIPAA #Security Rule requires health care providers, health plans and business associates to conduct risk analyses and implement technical, physical and administrative safeguards to protect Electronic Protected Health Information (ePHI). "
Not only do various layers of the same organisation conceive and implement safety, security, risk or resilience differently, but they also tend to have varying beliefs and practices on how to control visible strategic failures such as 'accidents', mistakes, errors and fiascos.
That is, while regulators may insist upon greater risk constraints, frontline actors remain dependent upon experience, education, knowledge and psychological factors to identify, mitigate and control a wide variety of actions, factors and probabilities.
This process and variance only compound and varies with greater layers such as teams, management and executive leadership.
"Successful critical infrastructure Emergency Risk Management (ERM) requires the effective engagement of stakeholders and communities. Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved. ERM goes far beyond being a technical or political process - it is also a social process. There may be great diversity of opinion on the actual #risks and their various sources, given different perceptions, knowledge and experience. "
"Australian government, business and citizen data is a strategic asset and must be secured accordingly. Data is fundamental to how we work, relate and recreate. It is used to process bank transactions, manage payrolls for our businesses, stay in touch with friends, confirm our vaccination status and run the machines and infrastructure that are essential to our way of life. Data and digital technologies have become a critical part of our economy and the security of our data is critical to Australia’s national interest. This includes information such as biometric information used to prove an individual’s identity through facial recognition, which Australians increasingly use to make their online activity more secure. "
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, Risk, Resilience, Safety & Management Sciences