140 likes | 265 Views
Standards for Supply Chain Risk Assessment and Security Management: ISO 28000 Assuring Safety, Security, and Sustainability using supply chain analysis, planning, and integrated Quality Management Systems. 2012 Transportation Research Board Annual Meeting Washington DC
E N D
Standards for Supply Chain Risk Assessment and Security Management: ISO 28000 Assuring Safety, Security, and Sustainability using supply chain analysis, planning, and integrated Quality Management Systems 2012 Transportation Research Board Annual Meeting Washington DC January 25th, 2012 Michael J. Penders, Esq. Environmental Security International L3C www.esisecurity.com
Identifying Vulnerabilities and Reducing Risk withIntegrated Management Systems: Performance Measures, Accountability, and Deterrence • Integrated Security Management requires the capacity to detect, prevent, and limit consequences of deliberate or negligent acts across the supply and distribution chains. • Focused on acts that would use hazardous materials, wastes, supply chain, or infrastructure as a weapon or means of delivering an attack. • An All Hazards Approach to Risk Assessment
Process for Integrated Risk Assessment, Management and Systems • Planning for many release and attack scenarios that pose threats to critical assets; not just worst case. • Dynamic paradigms for risk assessment and planning. • Benefits of Integrating Environmental, Health, Safety, Emergency Response, Disaster Recovery, Business Continuity, Information and Physical Security systems. • Organizational Resiliency • Enterprise Risk Management
Homeland Defense, Integrated Management Systems, and National Security • Nationally, Internationally, at Ports, and at Facilities: “We don’t know what we know.” • Stove piping of agencies and information • Speed and synthesis: keys to comprehension and security. • Integrating environmental, energy, and security monitoring into operational controls, with defenses for IT systems
Integrating Elements of Security into Operational Management Systems • Access to Reliable Information by Decision Makers, Emergency Responders, Security • Data Mining, Operational Controls, Remote Sensing • Planning, Communications, Training • Standards for Incident Command • Demonstrated Performance at Military Bases
Critical Elements of Vulnerability, Risk Assessment and Systems Review • Facility and Treatment Review • Physical Security: Perimeter; access controls; vehicles and materials delivery management; hazardous materials management; facilities design; critical infrastructure; personnel; subcontractors • SCADA, Information, and Cyber Security • Critical Control Points along Supply Chain
Strategic Security Management • Blue Plains D.C. Waste Water Treatment Facility • Pollution Prevention and Strategic Sustainability • Co-Generation, Redundancy, Defenses • Management Controls and Real Time Monitoring • Towards an Integrated Systems Approach • Assuming worst case scenarios and that the enemy knows; design systems accordingly
New Standard and Incentives for Integrated Security Management • New International Standards for Security Management System (SMS) • ISO 28000; ISO 27000 • Performance Measures for Integrated Systems: Speed, Synthesis, Risk Reduction • E-Commerce and Supply Chain Management • Insurance/Financial/Regulatory Consideration
Security Planning Model Continuous Vigilance Model Change Security Management System Incident SVA Audit
Leadership commitment Security vulnerability assessment Legal and other requirements Threat and hazard deterrence and mitigation Implementation and operation Resources, roles, responsibility and authority Competence, training and awareness Continuous improvement Monitoring and measurement System evaluation Nonconformity, corrective action and preventive action Control of record Internal audit Management review Communications and warning Documentation Control of documents Operations and procedure Emergency preparedness and response Security Management System Model Elements
SVA Methodology Step 1: Asset Characterization Step 2: Threat Assessment Step 3: Vulnerability Analysis Step 4: Risk Assessment Step 5: Countermeasures Analysis
Security Management System Value to external Stakeholders: Customers; Government; Financial Institutions, Public Integrated Security Management System Innovative Technologies Enterprise Risk Management Business Continuity Deterrence
For more information or questions: Michael Penders mpenders@esisecurity.com (703) 330-3752 www.esisecurity.com