HOME

TheInfoList



Click Here for Items Related To - Security management
OR:
Security management on:   [Wikipedia]   [Google]   [Amazon]

Security management is the identification of an organization's
asset In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that c ...
s (including people, buildings, machines, systems and information assets), followed by the development, documentation, and implementation of policies and procedures for protecting assets. An organization uses such security management procedures for information classification, threat assessment,
risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the ...
, and risk analysis to identify threats, categorize assets, and rate system vulnerabilities.


Loss prevention

Loss prevention focuses on what one's critical assets are and how they are going to protect them. A key component to
loss prevention Retail loss prevention (also known as Retail asset protection) is a set of practices employed by retail companies to preserve profit. Profit preservation is any business activity specifically designed to reduce preventable losses. A preventable ...
is assessing the potential threats to the successful achievement of the goal. This must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures to minimize or eliminate those threats.


Security risk management

The management of
security risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environm ...
s applies the principles of risk management to the management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing controls to face those threats, determining the risks' consequence(s), prioritizing the risks by rating the likelihood and impact, classifying the type of risk, and selecting an appropriate risk option or risk response. In 2016, a universal standard for managing risks was developed in The Netherlands. In 2017, it was updated and named: Universal Security Management Systems Standard 2017.


Types of risks


External

* Strategic: Competition and customer demand. * Operational: Regulations, suppliers, and contract. * Financial: FX and credit. * Hazard: Natural disasters, cyber, and external criminal acts. * Compliance: New regulatory or legal requirements are introduced, or existing ones are changed, exposing the organization to a non-compliance risk if measures are not taken to ensure compliance.


Internal

* Strategic: R&D. * Operational: Systems and processes (H&R, Payroll). * Financial: Liquidity and cash flow. * Hazard: Safety and security; employees and equipment. * Compliance: Concrete or potential changes in an organization's systems, processes, suppliers, etc. may create exposure to a legal or regulatory non-compliance.


Risk options


Risk avoidance

The first choice to be considered is the possibility of eliminating the existence of criminal opportunity or avoiding the creation of such an opportunity. When additional considerations or factors are not created as a result of this action that would create a greater risk. For example, removing all the cash flow from a
retail Retail is the sale of goods and Service (economics), services to consumers, in contrast to wholesaling, which is sale to business or institutional customers. A retailer purchases goods in large quantities from manufacturing, manufacturers, dire ...
outlet would eliminate the opportunity for stealing the money, but it would also eliminate the ability to conduct business.


Risk reduction

When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the next step is reducing the opportunity of potential loss to the lowest level consistent with the function of the business. In the example above, the application of risk reduction might result in the business keeping only enough cash on hand for one day's operation.


Risk spreading

Assets that remain exposed after the application of reduction and avoidance are the subjects of risk spreading. This is the concept that limits loss or potential losses by exposing the perpetrator to the probability of detection and apprehension prior to the consummation of the crime through the application of perimeter lighting, barred windows, and
intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
s. The idea is to reduce the time available for thieves to steal assets and escape without apprehension.


Risk transfer

The two primary methods of accomplishing risk transfer is to insure the assets or raise prices to cover the loss in the event of a criminal act. Generally speaking, when the first three steps have been properly applied, the cost of transferring risks is much lower.


Risk acceptance

All of the remaining risks must simply be assumed by the business as a part of doing business. Included with these accepted losses are deductibles, which have been made as part of the insurance coverage.


Security policy implementations


Intrusion detection

*
Alarm device An alarm device is a mechanism that gives an audible, visual or other kind of alarm signal to alert someone to a problem or condition that requires urgent attention. Alphabetical musical instruments Etymology The word ''alarm'' comes from th ...
.


Access control

* Locks, simple or sophisticated, such as biometric authentication and keycard locks.


Physical security

* Environmental elements (ex. Mountains, Trees, etc.). *
Barricade Barricade (from the French ''barrique'' - 'barrel') is any object or structure that creates a barrier or obstacle to control, block passage or force the flow of traffic in the desired direction. Adopted as a military term, a barricade denot ...
. *
Security guard A security guard (also known as a security inspector, security officer, or protective agent) is a person employed by a government or private party to protect the employing party's assets (property, people, equipment, money, etc.) from a variety ...
s (armed or unarmed) with wireless communication devices (e.g.,
two-way radio A two-way radio is a radio that can both transmit and receive radio waves (a transceiver), unlike a radio broadcasting, broadcast receiver which only receives content. It is an audio (sound) transceiver, a transmitter and radio receiver, receive ...
). *
Security lighting In the field of physical security, security lighting is lighting that intended to deter or detect intrusions or other criminal activity occurring on a property or site. It can also be used to increase a feeling of safety. Lighting is integral to cr ...
(spotlight, etc.). * Security Cameras. * Motion Detectors. * IBNS containers for cash in transit.


Procedures

* Coordination with
law enforcement agencies A law enforcement agency (LEA) is any government agency responsible for the enforcement of the laws. Jurisdiction LEAs which have their ability to apply their powers restricted in some way are said to operate within a jurisdiction. LEA ...
. *
Fraud In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compen ...
management. * Risk Management. * CPTED. * Risk Analysis. * Risk Mitigation. * Contingency Planning.


See also

*
Alarm management Alarm management is the application of human factors and ergonomics along with instrumentation engineering and systems thinking to manage the design of an alarm system to increase its usability. Most often the major usability problem is that t ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
IT risk management IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within ...
*
ITIL security management ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government ...
, an
information security management system Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core ...
standard based on
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
*
Physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Phy ...
*
Retail loss prevention Retail loss prevention (also known as Retail asset protection) is a set of practices employed by retail companies to preserve profit. Profit preservation is any business activity specifically designed to reduce preventable losses. A preventable ...
*
Security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...
*
Security policy Security policy is a definition of what it means to ''be secure'' for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms ...


References


Further reading

* ''BBC NEWS , In Depth.'' BBC News - Home. Web. 18 Mar. 2011. . * Rattner, Daniel. "Loss Prevention & Risk Management Strategy." Security Management. Northeastern University, Boston. 5 Mar. 2010. Lecture. * Rattner, Daniel. "Risk Assessments." Security Management. Northeastern University, Boston. 15 Mar. 2010. Lecture. * Rattner, Daniel. "Internal & External Threats." Security Management. Northeastern University, Boston. 8 April. 2010. Lecture. * Asset Protection and Security Management Handbook, POA Publishing LLC, 2003, p. 358 * ISO 31000 Risk management — Principles and guidelines, 2009, p. 7 * Universal Security Management Systems Standard 2017 - Requirements and guidance for use, 2017, p. 50 * Security Management Training
TSCM Training
* {{Authority control Network management Computer security procedures