Emergency Planning and Business Continuity Management and How It May Be Integrated with Security Risk Management.

In: Business and Management

Submitted By matthewg59
Words 5764
Pages 24
Abstract
Businesses, both large multinational and small to medium, should take the threats and risks they could face seriously. Security Risk Management (SRM), Business Continuity Management (BCM) and Emergency Planning (EP) assist in achieving this by putting in place effective risk identification and management measures. Effective management of risk can make the difference between success or failure of business operations during and after difficult events. Threats can include man made threats, such as terrorist attacks, or naturally occurring threats such as earthquakes. Effective risk identification and management is essential to any business, especially with the current uncertainty in the world’s economic climate. In order for businesses to survive, during times of increased strain on business operations, it is essential that an alignment between security and business operations can be achieved. This can be achieved by the security department not only widening the remit to cover more risks, but changing how the department works and relates to the rest of the business; including shared responsibility for things such as Corporate Governance, Information Assurance, Business Continuity, Reputation Management and Crisis Management.
The problem is security departments now have more responsibilities in an increasingly complex and fast moving world. Security Risk management is no longer an activity just for companies who work in high-risk areas or with exposure to significant security threats. Therefore, security is no longer viewed as a stand-alone activity but as part of a number of disciplines; including Enterprise Risk Management, Business Continuity Management, Reputation Management, Crisis Management, Disaster Recovery and Emergency Management Planning. The types of changes that may be integrated using these disciplines will create significant resilience or…...

Similar Documents

Risk Management Security

...Project Part 1 Task 2 Risk Management Plan Alen Kovacevic C. Wyrick IS3110 January 29, 2013 Purpose The Senior Management of the Defense Logistics Information Services (DLIS) has decided to update the previous risk management plan with a developing, new risk management plan. This new risk management plan will not only minimize the amount of risk for future endeavors, but will also be in compliance with regulations such as the Federal Information Security Management Act (FISMA), Department of Defense (DOD), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), Control Objects for Information and Technology (COBIT), and Information Assurance Certification and Accreditation Process (DAICAP). Scope The risk management plan is for the organization use only and its network, including remote access company owned building in United States. Outside sources from this scope and risk management plan may cause the network infrastructure to fail or will make it a high risk structure due to the fact that the outside source may not protected to interact with other outside sources allowing hackers to infiltrate your system and steal important files. Compliances Federal Information Security Management Act (FISMA) compliance is required for federal agencies to protect their important information. Department of Homeland Security (DHS) compliance is to be required for protection to the United States against terrorists. There are other......

Words: 1365 - Pages: 6

Security Risk Management Course Paper

...Therefore, a proper understanding of risk management and all that it entails is of the utmost importance for every IT professional, regardless of specialization. The purpose of this paper is to identify what risk management is and give an overview of the three phases or undertakings that make up the risk management process and then conclude with a discussion and explanation of the six-step Risk Management Framework (RMF) developed by the Department of Defense and the National Institute of Standards and Technology (NIST) (National Institute of Standards and Technology, 2010). “Risk management is the process of Identifying risks, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level” (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Thus, risk management is merely the ability of a person or organization to implement due diligence and identify any potential issue and develop policies and security measures to combat these risks. Risk management is comprised of three phases: risk identification, risk assessment, and risk control (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Risk Identification Risk identification is simply the identification and documentation of the assets and the threats to those assets. Risk identification is an iterative process that consists of six steps: the planning and organization of the risk management process, categorize the......

Words: 2778 - Pages: 12

Business Continuity Implementation Planning

...Anne Tramposh CSS150-1304A-02 Introduction to Computer Security Professor Mark Ford 10/26/2013 Business Continuity Implementation Planning A Business Continuity Plan is “a plan for how to handle outages to IT systems, applications and data access in order to maintain business operation. A Business Impact Analysis is a prerequisite analysis for a Business continuity plan that prioritizes mission critical systems, applications and data and the impact of an outage or downtime.” (Kim. 2012. Pg.478) Every organization faces risk. Sometimes risk is measurable and predictable, and other times it is not. For example, a lawn care company knows that it has a seasonal business. There is some unpredictability in the seasons in that you do not know for sure if it is going to be a “wet” spring or a “dry” spring, or a hot summer or a cooler summer and so on. However, at least in the Midwest, a lawn care company can pretty well determine that we will have winter, spring, summer and fall. Additionally, it is predictable that the grass will need mowing from about mid to late March all the way through November. So, there is a small risk that it may start a little later and/or end a little sooner, but on the average it is fairly predictable. Other organizations have much greater risk inherent in their organizations. For example, a small stock brokerage firm may lose its entire business if stocks take the type of tumble that they did in 1998. (I personally know of some small firms......

Words: 1104 - Pages: 5

Security and Risk Management

...and business operations are filled with risk. On a personal level we take risks crossing the road, travelling by train and making investment decisions. From a business perspective, risk is managed at many levels - operational, marketing, legal and financial. Traditionally, much risk inherent in a business operation has been managed through insurance. In reality, we are all aware that risk can no longer be managed on an ad hoc basis, but should be sewn into the fabric of corporate management. In other words, an organization will not be able to make strategic choices to maximise performance without having a clear understanding of the risk it faces. People make risk decisions at all levels in an organization, ranging from individual responsibilities to collective decisions made at Board level. Allowing individuals too much autonomy within an organisation can have disastrous consequences. Consequently, compliance and adherence to regulations is important to all risk management programmes, which in turn have focused organisations on corporate governance as a form of management control. Risk analysis helps put in place checks and procedures that reduce the chance of negative outcomes. In relation to the risk management situation, we can always relate to Nick Leeson's case, who had lost Baring’s Bank $1.3 billion on trading derivatives, destroying Barings and its reputation within a short period of time. Inter-related Crisis and Risk management Crisis and Risk management......

Words: 1044 - Pages: 5

Business Continuity Planning

...  People may include employees and customers along with other invited persons such as contractors or guests.  Property assets consist of both tangible and intangible items that can be assigned a value.  Intangible assets include reputation and proprietary information.  Information may include databases, software code, critical company records, and many other intangible items. An asset is what we’re trying to protect. Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what we’re trying to protect against. Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. A vulnerability is a weakness or gap in our protection efforts. Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities. A + T + V = R That is, Asset + Threat + Vulnerability = Risk. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk. Similarly, you can have a vulnerability, but if you have no threat, then you have little/no risk. Impact is the total profit/loss which is obtained through the above activities. Impact is like an output. In the context of Risk......

Words: 882 - Pages: 4

Risk Management

... Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP, UK 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA First edition 2009 Copyright © 2009 Elsevier Ltd. All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (144) (0) 1865 843830; fax (144) (0) 1865 853333; email: permissions@elsevier.com. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloguing in Publication Data A catalog record for this book is available from the Library of Congress......

Words: 89973 - Pages: 360

Risk Management Planning

...Risk Management Planning Carvella Bennett Everest University Risk management planning is the process of developing options and actions to enhance opportunities and reduce threats to project objectives. Risk management implementation is the process of executing risk management actions. Effective crisis response begins with effective decision-making. Good initial decisions can make even a catastrophe manageable; bad decisions can fatally exacerbate an otherwise small problem. In both cases, the window of opportunity for initial decision making is extremely small and closes rapidly. Once the moment for decision making has gone, it does not come back. Proper crisis response is about developing a range of emergency management options that can be exercised and that focus on what could happen, not what will happen. This is achieved through practice, and lots of it. It is no easy task getting a crisis management team together for the first time during an unfolding emergency. In all cases, the best crisis management results are delivered on-site and in the same time zone. However centralized a company may be, when it comes to crisis management, even local staffs need to sharpen their crisis management skills because ultimately, those are the ones that will be used when disaster first strikes. When actually organizing a live run-through of the crisis management plan, the scenario should ideally be one in which a business system is disabled. It is better to act this out in a......

Words: 1668 - Pages: 7

Business Continuity and Disaster Recovery Planning for It Professionals

...o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program......

Words: 189146 - Pages: 757

Risk Management in Justice and Security

...Running Head: RISK MANAGEMENT IN JUSTICE AND SECURITY ORGANIZATIONS Risk Management in Justice and Security Organizations Rita A. Davis University of Phoenix CJA/520 Group ID: MSAS0KCAO6 RJ Schafer September 11, 2009 Risk Management in Justice and Security Organizations Introduction Risk management is essential to the security and well being of any organization. Risk management is crucial in guaranteeing that security controls and spending are proportionate with the actual risks to which the organization is exposed. Following a comprehensive and formal risk management approach requires a sound understanding of the principles of risk. Risk goes beyond the questions of efficiency, technique. This paper will discuss the role of risk management in justice and security organizations What is Risk? “Risk is the uncertainty of financial loss, the variations between actual and expected results, or the probability that a loss has occurred, or will occur… three main categories are personal, property, and liability” ( Broder, p. 3). An organization should perform a risk analysis, which is a, “management tool, the standards for which are determined...

Words: 986 - Pages: 4

The Importance of Risk Management to a Business

...The Importance of Risk Management to a Business All organizations encounter uncertain events when trying to achieve their objectives. These uncertain events may arise inside or outside the organization. Each individual uncertain event that would impact one or more objectives is known as a risk. If the risk would have a negative impact on the business if it occurred, then it is a threat. If it has a positive impact then it is known as an opportunity. The combined effect of risks to a set of objectives is known as risk exposure, and is the extent of the risk borne by that part of the organization at that time. Risk has always been an inherent feature in any undertaking therefore risk management is not a new concept for organizations. The earliest application of risk management within organizations tended to focus on insurance management in terms of establishing financial capacity for the negative effects of adverse events. During the 1970s a broader view started to emerge whereby organizations began to develop a better understanding of the nature of the risks being faced and looked at alternatives to insurance. There remained, however, a focus on the negative effects of risk. Only in recent years have organizations begun to recognize that risk management, in its broadest sense, applies to both negative threats and positive opportunities. In each case a proactive approach is required, which seeks to understand the size of the possible threats and opportunities so that a......

Words: 1027 - Pages: 5

The Cost of Business Continuity Planning Versus the Potential of Risk

...The Cost of Business Continuity Planning Versus the Potential of Risk Though the cost of mitigating risk can be high, the lack of proper business continuity planning and disaster recovery planning will leave a company is at risk of a catastrophic loss of revenue due to the loss of the Information Systems. Any company that relies on its Information Systems for their operations should invest the time and revenue in developing an efficient and effective Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). This study will compare the differences in what a Business Continuity Plan is used for and what a Disaster Recovery Plan is used for. Additionally, it will evaluate the risk having a Business Continuity Plan and Disaster Recovery Plan versus accepting the potential loss of revenue and business in the event of a disaster. It is important to any company that uses it Information Systems to generate revenue. If a company is effected by a disaster, the longer a company takes to respond to the emergency and recover its resources, the more time it will take the company to get back to normal operations (Harris, 2013, p. 887). As history has shown, our world has and will continue to experience many destructive events such as, floods, earthquakes, terrorism, hurricanes, and many other catastrophic events that could cripple a company that is not prepared. Disasters are uncontrollable and over time, every organization will have to deal with the fallout of a disaster. Three...

Words: 2924 - Pages: 12

Security Risk Management Plan

...SECURITY RISK MANAGEMENT PLAN Prepared by Jeremy Davis Version control Project title | Security Risk Management Plan Draft | Author | Jeremy Davis | VC | 1.0 | Date | 25/10/10 | Contents Executive summary 4 Project purpose 5 Scope of Risk management 5 Context and background 5 Assumptions 5 Constraints 5 Legislation/Standards/Policies 6 Risk management 6 Identification of risk 7 Analysis of risk 8 Risk Category 9 Review of Matrix 9 Action plan 9 Testing Procedures 11 Maintenance 11 Scheduling 11 Implementation 12 Training 12 Milestones 12 Monitoring and review 13 Definition 13 Authorisation 14 Reference 15 Executive summary A Security Risk Management Plan (SRMP) helps CBS by providing specific guidelines and rules to ensure risk management is considered and included. It provides guidelines for its implementation that can minimise the threats by planning, policies, processes and procedures that can help your business get everything back to normal as soon as possible. This SRMP was designed for the guidelines for its implementation of risk management in CBS and in its operations in order to ensure its security and safety of its staff and assets. Throughout this SRMP it identifies threats, procedures, policies, responsible person and etc which will provide you and your staff information to prepare you with the worst disaster event. Every business these days has a SRMP in case of any events which may occur,...

Words: 2028 - Pages: 9

Security Risk Management

...Security Risk Management Plan Sydney Head Office 175 Sydney Rd Sydney NSW 2000 DOCUMENT VERSION CONTROL Document Name: | Amalgamation of GSC | Version Number: | 0.1 | Date: | 18 July 2016 | Reviewed By: | | Authorised By: | | CHANGE HISTORY Version | Issue Date | Author | Reason for Change | 0.1 | 20.05 | ABCELLO | Original Document | | | | | | | | | | | | | | | | | | | | | | | | | DISTRIBUTION LIST Copy No | Name | Location | 1. | Master | Project Office | 2. | <Project Manager> | | 3. | <Project Sponsor> | | 4. | <Executive Sponsor> | | 5. | | | | | | | | | | | | | | | CONTENTS INTRODUCTION | 4 | | | SCOPE OF WORKS | 4 | DISCLAIMER AND LIMITATIONS | 4 | | | METHODOLOGY | 4 | | | STRATEGIC CONTENT | 4 | STAKEHOLDER LIST | 5 | RISK MANAGEMENT CONTEXT | 5 | THE RISK MANAGEMENT PROCESS | 6 | | | ANALYSIS OF SECURITY RISK | 7 | TREATMENT OPTIONS | 7 | | | SOURCES OF EVENT RISK | 8 | | | RISK IMPLEMENTATION/RISK IDENTIFICATION | 9 | | | RISK ASSESSMENT SUMMARY | 9 | RISK 1 - Operational | 10 | RISK 2 - Strategic | 10 | RISK 3 - Human / Animal Resources | 11 | RISK 4 - Systems | 11 | RISK 5 - Financial | 12 | RISK 6 - Legal | 12 | | | RISK ASSESSMENT TABLES & CONSEQUENCE | 13 -18 | STAKEHOLDERS SIGN OFF | 19 | BIBLIOGRAPHY | 20 | |......

Words: 3116 - Pages: 13

Security Management

...CONTENTS A. Four Functions of Management 1 1. Planning 2 Planning Terminology 3 Vision 3 Mission 3 Objective 3 Goals 3 Strategic Planning 4 2. Organizing 4 Organizational Structure 5 Division of Labor 5 Delegation of Authority 6 Departmentation 7 Informal Structure 8 Leading 8 Staffing 9 Staffing Success – More than Luck 10 Starting with Self Assessment 10 Know yourself 11 Know your business 11 Know Advantage & Disadvantage of Employment 11 Directing 12 Motivation 13 Removing Barrier of Communications 13 Facilitating Communication 16 Controlling 17 B. Management Plan (Intro) 20 Security Management Plan 22 -oOo- Ils-pwu-2012 Principles of Organization & Management: Four Functions of Management Planning means looking ahead and chalking out future courses of action to be followed. It is a preparatory step. It is a systematic activity which determines when, how and who is going to perform a specific job. Planning is a detailed programme......

Words: 7522 - Pages: 31

Business Risk Management

...Business Risk Management Fukushima Daiichi – Nuclear Disaster Pedro Eza ID number: z3366523 Executive Summary Fukushima crisis management showed system failures from the public and private actors that led to overall human error and opened a continuous debate within international community about holding nuclear plants under public hands rather than private ones whose incentives clearly differ from the public interest: * The Government and regulatory agencies failed to push Tepco to heed several anomalies and warnings causing the operator to be unprepared at an operational risk level evidencing an embarrassing incompetency to make decisions. * Tepco, as this report will prove below, lacked a culture of safety failing to respond effectively to subsequent events after the accident. For all these, the need to build an adequate resilience framework within the nuclear industry covering the main pillars: Crisis Management, Disaster Recovery, Business Continuity and Emergency Management, are paramount within risk management. Case’s Background On March 11, 2011, Japan suffered an earthquake of magnitude 9.0 with an epicenter......

Words: 2139 - Pages: 9