ACP 122 (F) - Multilateral Planners Conference

More documents

Recommendations

Info

UNCLASSIFIED ACP 122(F) CHAPTER 3 RISK MANAGEMENT OVERVIEW 301. Combined forces increasingly rely on interconnected CIS for command and control, and administration purposes. 1 302. The management of the risk to a CIS is effected through a system security architecture comprising operational, procedural, physical, personnel and technical components, selected in the light of an assessment of the risks to the system, the definition of system security requirements and the analysis of optional security architecture solutions. The design of the security architecture is an integral part of the system design. The development of the security architecture and its maintenance throughout the life of the system is accomplished through the security risk management process. POLICY 303. In order to ensure that adequate, cost-effective security is provided to CIS, there is a requirement for the orderly examination of sensitivities, threats, and vulnerabilities in order to determine the risk to any given CIS and what protective measures/safeguards are required. This process is known as risk assessment, and is the fundamental basis of risk management. The security risk management process is applicable to all new and in-service CIS within combined operations. New systems shall start applying the risk management process at the beginning of the planning stage. Risk management for in-service systems forms part of the configuration management process. RISK MANAGEMENT PROCESS 304. The security risk management process is the process by which resources are planned, organized, directed and controlled to ensure the risk to national or combined CIS and the information they handle remains within acceptable bounds at optimal cost. The process enables the definition, implementation and life cycle management of the system security architecture. It is equally valid for small stand-alone systems as for large networked systems - the difference in application lies in the degree of system complexity and the extent of the security requirement. The security risk management process applies regardless of where system planning, implementation and operation are accomplished. 1 Not all of the information processed, stored or transmitted by these systems would be classified in the national interest. Some of it may be personal (evaluations, medical reports) or financial (project cost projections, budgets) information that is sensitive and therefore warrants some form of protection against unauthorised disclosure, removal, destruction, interruption or modification. 3-1 Original UNCLASSIFIED
UNCLASSIFIED ACP 122(F) 305. The process involves the identification of the risk to any of the IA principles inherent in the system and the management decisions concerning the acceptable level to which it may be managed. It consists of the following: a. Evaluation of the sensitivity of the assets planned for the system and the information to be processed on it, b. Determination of the risk of injury to those assets taking into account system vulnerabilities and gaps in the coverage of safeguards, and the threats which can exploit them, c. Formulation of appropriate countermeasures, d. Identification, quantification and management acceptance of the residual risk, and, e. Management of the system throughout its in-service life in such a way as to ensure that risks to the system remain at an acceptable level. 306. Risk has two components: threat and impact. Both elements must be present for a risk to exist: a. Threat - the likelihood that the event will occur, and b. Impact - the consequences or gravity of the damage incurred if the event occurs. 307. Risks exist in the technical, procedural, personnel and physical arenas. They might affect confidentiality, availability or integrity of systems. The language used to describe them will therefore vary, except that impact should always be expressed the same way. For an impact to have significance, it has to affect an operational or business activity. Impacts should therefore be expressed primarily in operational terms: for example, a compromise of intelligence data might cause critical exposure of intelligence sources, political embarrassment and critically undermine the execution of operations. The impact of an environmental security problem might be expressed partly in terms of the replacement cost of a building or a set of equipment. 308. The operational impact from any one realized risk can change, depending on how long the interruption lasts. For example, if a key logistics system is unavailable for 24 hours, the result might be minor delays in the logistics chain. After 24 hours, operations might begin to be affected as critical stores can no longer be tracked or accounted for. After 48 hours, the operation might suffer severe delays as supplies fail to arrive, forcing the alteration or amendment of critical elements of operations. Where time is a critical factor in identifying impact, it should be acknowledged in the risk management documents. 309. In summary, risk management is the process of assessing risks and making sensible, accountable decisions about the handling of those risks. Once a risk has been identified, there are four basic ways of dealing with it: 3-2 Original UNCLASSIFIED
Page 1 and 2: UNCLASSIFIED ACP 122(F) INFORMATION
Page 3 and 4: UNCLASSIFIED ACP 122(F) THE COMBINE
Page 5 and 6: UNCLASSIFIED ACP 122(F) TABLE OF CO
Page 7 and 8: UNCLASSIFIED ACP 122(F) CHAPTER 10.
Page 9 and 10: UNCLASSIFIED ACP 122(F) referred to
Page 11 and 12: UNCLASSIFIED ACP 122(F) CHAPTER 2 P
Page 13 and 14: UNCLASSIFIED ACP 122(F) b. Availabi
Page 15: UNCLASSIFIED ACP 122(F) 213. Most o
Page 19 and 20: UNCLASSIFIED ACP 122(F) CHAPTER 4 C
Page 21 and 22: UNCLASSIFIED ACP 122(F) 407. The Me
Page 23 and 24: UNCLASSIFIED ACP 122(F) ISSUE RESOL
Page 25 and 26: UNCLASSIFIED ACP 122(F) MEASURES RE
Page 27 and 28: UNCLASSIFIED ACP 122(F) CHAPTER 6 V
Page 29 and 30: UNCLASSIFIED ACP 122(F) a. Physical
Page 31 and 32: UNCLASSIFIED ACP 122(F) CHAPTER 7 S
Page 33 and 34: UNCLASSIFIED ACP 122(F) CHAPTER 8 C
Page 35 and 36: UNCLASSIFIED ACP 122(F) 812. TRANSE
Page 37 and 38: UNCLASSIFIED ACP 122(F) INTRODUCTIO
Page 39 and 40: UNCLASSIFIED ACP 122(F) 912. Caveat
Page 41 and 42: UNCLASSIFIED ACP 122(F) CHAPTER 10
Page 45 and 46: UNCLASSIFIED ACP 122(F) TRUSTED COM
Page 47 and 48: UNCLASSIFIED ACP 122(F) d. Password
Page 51 and 52: UNCLASSIFIED ANNEX A TO ACP 122(F)
Page 53 and 54: UNCLASSIFIED ACP 122(F) Checklists
Page 55 and 56: UNCLASSIFIED ACP 122(F) Annexes 3.
Page 57 and 58: UNCLASSIFIED ACP 122(F) Access Cont
Page 59 and 60: UNCLASSIFIED ACP 122(F) Combined In
Page 61 and 62: UNCLASSIFIED ACP 122(F) support wil
Page 63 and 64: UNCLASSIFIED ACP 122(F) National In
Page 65 and 66: UNCLASSIFIED ACP 122(F) Security Ar
Page 67 and 68:
UNCLASSIFIED ACP 122(F) ABBREVIATIO
Page 69:
UNCLASSIFIED ACP 122(F) WG WS Worki
show all

ACP 122 (F) - Multilateral Planners Conference

Create successful ePaper yourself

Delete template?

Save as template?