Security Management: Newsletter - Feb 2023
Security Management
Protection, guarding, defence and management of assets from the realm of threats such as natural, human and operations
Of the 452 posts published to the? Security Management showcase page during February 2023, which generated 202,731 views, 61,179 clicks and 1,848 likes, and 792 reposts, here are the top 12, based on volume.? Ridley Tony
Members and Subscribers get more at Patreon. Check it out:
Also, don't forget the Risk Management newsletter . Of the 457 posts published to the?Risk Management ?showcase page during February 2023, which generated 297,959 views, 75,015 clicks and 2,498 likes, and 687 reposts, here are the top 10, based on volume.
Collectively, these two showcase pages generated nearly half a million fews last month, generating approximately 140,000 clicks and 4,500 likes. Notwithstanding, the independent newsletters from both these showcase pages have over 13,000 international subscribers.
How is Risk Management Different from Security Management?
"When the protection of an asset is non-negotiable, and the antagonist is creative, capable and malevolent, the evidence is that protectors reject the idea of risk-taking in favour of risk-avoiding. They try to deceive and unbalance the adversary, and base their decisions on updated and detailed intelligence rather than on statistics. To a strictly calculated margin of safety, they prefer redundancy. "
Manunta, G. (2002). Risk and security: Are they compatible concepts?. Security journal, 15, 43-55.
"Protection measures should be developed in line with the risk assessment, and it should be ensured that they are applied equally across all staff (local and international), and seniority levels. Organisations should provide training in security measures to staff, give orientations to new employees, and pursue coordination with other agencies or security forums.?"
"Top Risks in?#Cybersecurity ?2023; These top eight macro risks represent a consolidation of the most likely and impactful of the risks identified by the working group. Each risk’s description includes “Key Risk Factors,” which identify concrete examples or hazards that fall under the identified risk. The listed key factors are starting points – they are not exhaustive. "
"A security management system (SMS) audit is an evidence-based review of the system’s structure and functions and a test of the system’s purpose. Auditing provides managers and their staff with essential information from which to identify system strengths and weaknesses, allowing resources to be focused where most needed. The audit process also serves as a tool for <entities> to conduct due diligence of their internal management processes and determine if the security management system is fit for purpose.?"
"This document provides guidance on how to secure operational technology (#OT ), while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. The document provides an overview of OT and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks."
"Repeated cyber intrusions into organizations of all types demonstrate the need for improved?#cybersecurity . Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience.?"
"The C2M2 focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The model can be used to:
"This guide aims to be a simple, easy-to-use security resource to help smaller NGOs demystify security risk management. By setting out the elements of a basic security risk management framework, this guide aims to support NGOs in translating their?#dutyofcare ?obligations into key processes and actions that will not only enhance their national and international staff security but also improve their organisation’s reputation and credibility. Although the guide
is intended to be applicable to both national and international NGOs, some elements may be more relevant to one or the other.
Many existing NGO security resources tend to focus on the requirements of larger humanitarian and development organisations, i.e. those with large multi-national staff teams working in multiple countries, often with dedicated security staff. This guide is mindful of the limited resources and the specific challenges that smaller NGOs may face in trying to establish and maintain a security risk management framework.
This guide complements other essential guides, this guide provides a broader perspective on the overarching framework an organisation should aim to have in place in order to improve its security risk management. This guide also aims to complement the EISF ‘Security Audits’ guide, which enables organisations to take stock of what they have in terms of staff security and what needs to be improved.?"
"...#CyberSecurity ?NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned, and reported. This is despite it receiving enhanced funding to expand the scope of services it provides. It currently has many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications. It has too few reliable and meaningful ways of measuring progress toward its objectives, and no overall workplan or roadmap to show how the objectives will be achieved.
Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector.
Cyber Security NSW does not provide assurance of the cyber security maturity self-assessments performed by individual NSW Government agencies"
领英推荐
"Risk" knowledge, experience and qualifications are acquired. That is, the specific aspects, processes, methods, influence, ideology, science and cultural factors associated with?risk?in all its forms, silos, and applications originate from and must be communicated via specific means within specific contexts. And for all students, there must be a teacher, mentor or someone to learn from.?
So, the big question is, where is 'risk' knowledge coming from and who is teaching it??
What representative proportionality do various disciplines and professions have specific to risk?
"Situational awareness, in the context of this guide, is the understanding of one’s environment and the ability to predict how it might change due to various factors. As part of their current?#cybersecurity ?efforts, some electric utilities monitor physical, operational, and information technology (IT) separately. According to energy sector stakeholders, many utilities are currently assessing a more comprehensive approach to situational awareness, which, through increased real-time or near real-time cybersecurity monitoring, can enhance the resilience of their operations.
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to explore an example solution that can be used by energy sector companies to alert their staff to potential or actual cyber attacks directed at the grid.
The?#security ?characteristics in our situational awareness platform are informed by guidance and best practices from standards organizations, including the NIST Cybersecurity Framework and North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Version 5 standards.
This NIST Cybersecurity Practice Guide demonstrates how organizations can use commercially available products that can be integrated with an organization’s existing infrastructure. The combination of these products provides a converged view of all sensor data within the utility’s network systems, including IT, operational, cyber, and physical access control systems, which often exists in separate “silos.”
The example solution is packaged as a “how to” guide that demonstrates implementation of standards- based cybersecurity technologies in the real world and based on risk management. The guide may help inform electric utilities in their efforts to gain situational awareness efficiencies. Doing so may enable faster monitoring, identification, and response to incidents while also saving research and proof-of- concept costs for the sector and its ratepayers and customers.?"
"As with all safety and security measures, the first critical step is to complete a risk assessment. Natural disasters, famines, disease outbreaks and even national elections can present as many risks as human conflict, terrorism or other types of violence. This guide provides a simple risk assessment format that staff can use to identify and measure various risks.?"
"Although process control systems are now frequently based on standard IT technologies, their operational environments differ significantly from the corporate IT environment. There are a great number of lessons that can be learned from the experiences gained by the IT security experts and after tailoring some standard security tools and techniques can be used to protect process control systems. Other standard security measures may be completely inappropriate or not available for use in a control environment.?"
In order for a security manager to be successful, they must possess the following skills, knowledge, and abilities in….?
What comes next?
What exactly are the criteria for a modern security manager or security risk management professional?
Do you map these strengths and weaknesses, or do you use a comparable model for recruitment, promotion or development?
These remain valid questions for those that work in security roles or the industry, but also those within executive leadership roles, management, culture and capability or finance.
Because no security/risk individual is directly identical to another, nor are the contexts and requirements for specific skills, criteria or qualifications from one environment to another.
In short, all security risk management strategies and plans must include consideration and evaluation of the ‘protector’, security representative or individual(s) charged with the task(s).?
Risk, Resilience, Safety, Security & Management Sciences (Applied)
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年Well Said.