Thursday, April 29, 2010

How FSOs Develop a Risk Assessment Model to Protect Classified information

I’ve posted a few articles on risk assessment and using the risk assessment results to implement and direct a security program to protect classified information. I’ve even written about how risk assessment can help you determine whether or not you need alarms, cameras and other protective measures above what may be required of the NISPOM. However, what I have not written about is how to do a risk assessment.

You might recall in earlier articles that I’ve emphasized the importance of finding out what the threats to classified information are to your particular organization. One of my concerns is that a lot of FSOs may financially commit their companies to expensive endeavors that may not even be required. Industry standards and common practices may almost seem like requirements. To some, it may be unheard of not to have alarms, cameras or access control systems (door magnets and card readers). However, these are not required in NISPOM (except for intrusion detection systems as identified in NISPOM) and may even be unnecessary in many circumstances.

What’s needed is a risk assessment. If cameras and alarms are necessary, then provide the evidence to your company officers and get it in the budget. If not, provide the findings to your management to demonstrate your value at reducing unnecessary costs. They will appreciate your assessment and ability to provide realistic and useful input.

Risk assessments can be as scientific and involved as you need them to be. However, I prefer simplicity and am willing to accept the small risk of error that the simple assessment tool may bring. As simple as this design is, its value has always been tremendous. Again, a risk assessment is to be used to compliment requirements of NISPOM, not replace them. For example, classified information is ALWAYS required to be stored according to NISPOM, regardless of risk level you might identify.

Begin with a list of what you would like to protect. Classified information, product, employees and visitors, export controlled items and etc. These will go under the column called assets. These are what you as the FSO and/or senior security manager want to protect. The list can be as long or short as you want it to be, but should indicate the most important items you and your organization want to protect.

Next, what are the threats? Do you live in an area subject to theft, break ins, violence or severe weather? Is your company next to a transportation terminal involving explosives or dangerous chemicals? Is the organization in a high risk area for potential security violations? Does your company have poorly trained cleared employees? This information will go in the threat column.

The next column is the probability of occurrence. I like to use a scale of 1-5, 1 being the lowest level of probability and 5 being the highest. This column is for predicting the chances of the threat occurring. The next column is the level of impact, again using a scale of 1-5. Here you will predict the severity of the damage and impact to the asset.

In this example, I looked at three threats to classified information stored at a fictional cleared facility. The first threat is insider espionage. I gave it a score of 3 meaning that the probability of classified information getting out by way of an insider was high. The impact is a 5 meaning that the insider would know exactly what to take and may be able to do so without detection.

The next threat is a break in. I’ve determined that based on threat data and crime reports that spies have not been breaking into the company and gaining access to classified information. The impact of a break in will be relatively low as an outsider will be hard pressed to determine what to steal and where it is stored (outside of help from an employee or insider).

The next threat is severe weather. The probability of wind damage is pretty solid where we live and tornados form often. The probability of a tornado or high winds destroying a facility exists. The impact of the facility’s destruction is high and the scattering of classified information cannot be negated or predicted.

Based on my assessment, the number one threat is insider espionage. With a score of 15, I will ensure that my countermeasures primarily address this threat. My budget may be constructed to include employee training on how to identify the insider threat. I may also develop procedures to limit access to classified processing, copying, or other interaction with classified material.

The next priority is severe weather. With a total score of 8 I will focus my efforts on developing and rehearsing how to protect classified information when disaster strikes. I would also spend time identifying and training cleared employees on how to search for and recover classified information after a disaster.
I would not spend much of my budget or effort addressing the break in and theft of classified material.

Committing tens of thousands of dollars in alarms, cameras and access control to counter a small threat is not justified. However, if part of your assessment includes life and health safety (violence, theft of product and other non-classified threats) then yes, consider these measures.

This exercise was developed only to demonstrate how to meet risks to classified information in an intelligent manner. Again, this was just a snapshot. A real conclusion on the way ahead cannot be made until all assets and threats have been identified. Once finished, you will have a list of priorities in which to focus security efforts. From there you can develop your countermeasures and mitigate the impact of a threat. Keep assessing as you get new contracts and requirements and be sure to keep your management informed.

No comments: