Presentation Transcript

1. Enterprise Security Risk Management Security and the ISO31000 Standard? Julian Talbot Jakeman Business Solutions Pty Ltd ISO 31000 Conference 21-22 May 2012 G31000 the Global Risk Management Platform
2. Once upon a time… 4360 (1995) F ear U ncertainty D oubt 31000
3. ISO31000 Communication and Consultation Establish the Context Monitoring and Review Principles Framework Process Risk Assessment Risk Identification Risk Analysis Risk Evaluation Risk Treatment
4. Why ISO31000 works for Security?
5. Why ISO31000 works for Security? ‘Apples for apples’comparison: taxonomy (eg: likelihood and consequence) risk assessments by different assessors Longitudinally between divisions or other organisations against environmental, safety, financial risks Better decisions and allocation of resources Permission to add value Ability to integrate methodologies
6. Communication and Consultation Establish the Context Monitoring and Review Risk Assessment Risk Identification Risk Analysis Risk Evaluation Risk Treatment
7. Julian Talbot (ASIS 2009) Enterprises… $30 billion budget 120,000 people 8,000 facilities 41 Risk Criteria 15 Divisions
8. Australian Trade Commission (Austrade) Assists Australian businesses to export 1,400 staff in 60 countries 120 offices including 22 Consular posts $400 million annual budget
9. Understanding the risks Official sources including Department of Foreign Affairs & Trade (DFAT) National Threat Assessment Centre (NTAC) Open source and commercial providers Internal capability Austrade posts and officers Austrade Security Team Security Risk Assessments Incident reporting
10. Terrorism Source: Nationmaster.com
11. Assault Source: Nationmaster.com
12. Fraud Source: Nationmaster.com
13. Enterprise Security Risk Assessment (ESRA) Defensible, systematic and robust basis for decision making and planning Provide senior management with an assessment of current and emerging risks Inform the development and application of ongoing budgets and security measures
14. Enterprise Security Risk Assessment (ESRA) Whole of organisation/enterprise Inform budget and systems planning Known & emerging threats to the ‘business’ Not location, activity or function specific ‘Enterprise Security Standards’ Based on location, activities and functions
15. Example Only Enterprise Security Standards
16. Results… Austrade: 5 year $60 million security plan Robust, well documented analysis Business case - AUD$18.4 billion exports with Austrade assistance (vs $12M p.a. on security) Defence 5 year $300 million security plan Included - $120 million existing treatments Finance 3 year $2 million security plan Proportional - to the agency
17. Last points… All SR Managers Something free? Business card? Been robbed? Been a robber? Illegal drugs? Been to Africa? Papua New Guinea? Motorcycle license?
18. Last points… All SR Managers Be prepared Time critical Emotional decisions Red teaming 15% of the economy It’s personal! Big risk taker! HUGE risk taker!
19. Thank you Contact me at: julian.talbot@jakeman.com.au Download this presentation from: www.jakeman.com.au