ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>122</strong>(F)<br />
CHAPTER 3<br />
RISK MANAGEMENT<br />
OVERVIEW<br />
301. Combined forces increasingly rely on interconnected CIS for command and control, and<br />
administration purposes. 1<br />
302. The management of the risk to a CIS is effected through a system security architecture<br />
comprising operational, procedural, physical, personnel and technical components, selected in<br />
the light of an assessment of the risks to the system, the definition of system security<br />
requirements and the analysis of optional security architecture solutions. The design of the<br />
security architecture is an integral part of the system design. The development of the security<br />
architecture and its maintenance throughout the life of the system is accomplished through the<br />
security risk management process.<br />
POLICY<br />
303. In order to ensure that adequate, cost-effective security is provided to CIS, there is a<br />
requirement for the orderly examination of sensitivities, threats, and vulnerabilities in order to<br />
determine the risk to any given CIS and what protective measures/safeguards are required. This<br />
process is known as risk assessment, and is the fundamental basis of risk management. The<br />
security risk management process is applicable to all new and in-service CIS within combined<br />
operations. New systems shall start applying the risk management process at the beginning of the<br />
planning stage. Risk management for in-service systems forms part of the configuration<br />
management process.<br />
RISK MANAGEMENT PROCESS<br />
304. The security risk management process is the process by which resources are planned,<br />
organized, directed and controlled to ensure the risk to national or combined CIS and the<br />
information they handle remains within acceptable bounds at optimal cost. The process enables<br />
the definition, implementation and life cycle management of the system security architecture. It<br />
is equally valid for small stand-alone systems as for large networked systems - the difference in<br />
application lies in the degree of system complexity and the extent of the security requirement.<br />
The security risk management process applies regardless of where system planning,<br />
implementation and operation are accomplished.<br />
1 Not all of the information processed, stored or transmitted by these systems would be classified in the national<br />
interest. Some of it may be personal (evaluations, medical reports) or financial (project cost projections, budgets)<br />
information that is sensitive and therefore warrants some form of protection against unauthorised disclosure,<br />
removal, destruction, interruption or modification.<br />
3-1 Original<br />
UNCLASSIFIED