SECURITY AND RISKMANAGEMENT BESTPRACTICESPresented by: Junison Zaib,At The 1 st International Indonesia, Quality, Health, Safety, Security and Environment Conference and Exhibition,Jakarta 22 June 2011
Contents:Security Risks SpectrumRisk Analysis, Qualitative Relation Model and StepsRisk Management Best Practices Physical Security Promote Ethics, Professionalism and Integrity Political & Security Risk analysis Business intelligence & investigation Information Security Business Continuity & Crisis Management Travel Security Management Security Arrangement
Security Risks Distribution Mapping(criminal gang, violence, terrorist attacks, theft, spam, etc)
Corruption Perceptions Index
Common Forms Of CorruptionBribery: Probably the most common form of corruption, bribery is the giving of some form of benefit to unduly influencesome action or decision on the part of the recipient or beneficiary. Bribery can be initiated by the person soliciting the bribe or theperson offering the bribe. The “benefit” may vary from money or other valuables to less tangible benefits such as insideinformation or employment. Bribes may be paid on a case-by-case basis or as part of an ongoing relationship. The mostcommon strategy for countering bribery is to criminalize it, often with an exclusive focus on cases involving public officials.Embezzlement, theft and fraud: the taking or conversion of money, property or other valuables for personal benefit.Embezzlement and theft involve the taking of property by someone to whom it has been entrusted, whereas fraud consists ofthe use of misleading information to induce someone to turn over the property voluntarily, for example, by misrepresenting theamount of people in need of a particular service.Extortion: extortion involves coercive incentives such as the use of threat of violence or the exposure or damaginginformation in order to induce cooperation. Office holders can be either the instigators or the victims of extortion.Abuse of discretion: the abuse of office for private gain, but without external inducement or extortion. Patterns of suchabuses are usually associated with bureaucracies in which broad individual discretion is created, few oversights oraccountability structures are present, as well as those in which decision-making rules are so complex as to neutralize theeffectiveness of such structures even if they exist.Favoritism, nepotism and clientelism: In general, these involve abuse of discretion, however, in these specific cases, theact is governed not by the direct self-interest of the corrupt individual, but by some less tangible affiliation, such as advancingthe interest of family (nepotism), a political party, or of an ethnic, religious or other grouping.Improper political contributions: payments made in an attempt to unduly influence present or future activities by aparty or an institution. Distinguishing this from legitimate political contributions is very difficult.
Risk Management Needed Along Business CycleRiskManagementThreats,Vulnerabilities
Quantitative Risks AnalysisSecurity in any system should be commensurate with its risksSecurity risk analysis is to put this process onto a more objectivebasis. Two types: quantitative and qualitativeQuantitative Risk AnalysisEmploys two fundamental elements; the probability of an event occurring andthe likely loss should it occur.Simply multiplying the potential loss by the probability.Possible to rank/prioritize events in order of risk and to make decisions basedupon this.The problems are usually associated with the unreliability and inaccuracy of thedata. Probability can rarely be precise and can, in some cases, promotecomplacency. In addition, controls and countermeasures often tackle a number ofpotential events and the events themselves are frequently interrelated.Notwithstanding the drawbacks, a number of organizations have successfullyadopted quantitative risk analysis.
Qualitative Risk and ModelQualitative Risk AnalysisThe most widely used approach to risk analysis. Probability data is not requiredand only estimated potential loss is used.Most qualitative risk analysis methodologies make use of a number of interrelatedelements:THREATS, these are things that can go wrong or that can 'attack' the system.Examples might include fire or fraud. Threats are ever present for every system.VULNERABILITIES, these make a system more prone to attack by a threat or makean attack more likely to have some success or impact. For example, for fire avulnerability would be the presence of inflammable materials (e.g. paper).CONTROLS, these are the countermeasures for vulnerabilities. There are fourtypes:Deterrent: reduce the likelihood of a deliberate attackDeny: protect vulnerabilities and make an attack unsuccessful or reduce its impactDevalue: reduce the effect of an attackDetect: discover attacks and trigger preventative(deny) or corrective (devalue) controls.
Simple Risk Control Relational ModelDeterrentThreatReduces likelihood ofDetectCreatesAttackDiscoversTriggersDevalueDenyDecreasesReducesExploitsProtectsImpactResult inVulnerability
Seven Steps Security Risk Assessment and MitigationConduct Security Vulnerability Assessment, Site Specific SecurityPlan, Security Management ReviewUnderstand the organization and identify the people and assets at riskSpecify loss risk events and vulnerabilitiesEstablish the probability of loss risk and frequency of eventsDetermine the impact of the eventsDevelop options to mitigate risksStudy the feasibility of actual implementation of optionsPerform a cost/benefit analysis
The physical security of facilities requires the use of concentric levels ofcontrol and protection to provide progressively enhanced levels of security11The 1 st of control: should be at the perimeter of the property consisting of fences and otherbarriers with one or two points of entry through gates controlled by police and/or securitypersonnel. In certain camps, the building perimeter may be on the property line. Increased levels of screening of persons andvehicles, as the Security Threat Levels are changed, must be accommodated at the perimeter without burdening surrounding roadswith vehicles waiting to enter the site.The 2 nd point of control: should be at the building perimeter consistingof doors and other openings protected as appropriate to the level ofprotection needed with or without the first point of control. This includes accesscontrol hardware, intrusion detection, surveillance, and, at selected entrances at various times, personnelfor control and screening.The 3 rd point of control should be to segregate withbarriers and hardware generally accessible public andvisitors areas from staff-only areas such as: office rooms,food/pharmacy preparation, office corridors, laboratories, buildingoperations and maintenance areas.The 4 th point of control should be tosegregate authorized fromunauthorized staff areas with barriers andaccess controls such as card reader-activatedhardware. Unauthorized areas may includefinancial/procurement /personnel records,laboratories, and cash-handling tellers.The 5 th point of controlshould be to restrict accessto restricted areas to a minimumwith card-reader access controls, CCTVmonitors, intrusion detection alarms,and forced-entry-resistant construction.Restricted access areas may include,executive work room, select agentstorage or can be defined as peroperational and business needs
Promote Ethics, Professionalism and IntegrityConflict of Interest RegulationTo ensure transparency and ethical conduct by employees by removing the temptation or the opportunity to engage incorruption; establish transparent frameworks with respect to decision making processes especially, financial decisions;promote disclosure of private, personal and political interests by personnel.Disclosure of Income and AssetsTo provide the basis for monitoring the wealth of individuals while holding office; increase accountability on actions ofoffice bearers and reduce the chances of direct involvement in, or encouragement to, corrupt practices in the offices theymanage.Lobbyist RegistrationTo regulate the process of lobbying in order to create a fair ground for all parties in a given issue; enhanceaccountability and openness among public entities and decision makers, prohibiting any opportunities for bribery toinfluence outcomes and decisionsHotline and Whistleblower ProtectionTo enhance detection of fraud and corruption and encourage reporting of cases of corruption and other malpractice thatmay jeopardize the integrity of an administration.The Integrity PactTo enable companies to abstain from bribing by providing assurances to them that their competitors will also refrain from bribing, and procurement, privatization or licensing agencies will undertake to prevent corruption, including extortion, by theirofficials and to follow transparent procedures; andTo enable institution to reduce the high cost and the distortionary impact of corruption on procurement or licensing.
Code of EthicsBasic principles Impartiality, objectivity, discrimination Confidentiality Due diligence/duty of care Fidelity to professional responsibilities Avoiding potential or apparent conflict of interest Legality (respect for the rule of law) Integrity and honesty Transparency and openness; Efficiency; Equality; Justice; and Responsibility, i.e., maintaining one’s reputation and responsibility forfaults.
Ethics Training To educate employees about the ethics rules andregulations To establish the capacity to maintain open governanceprocessesTo reinforce the principles of transparency and To reinforce the principles of transparency andaccountability
Political & Security Risk AnalysisWherever in the world your business operates you need tounderstand the political, security and business environmentNeed to know how different legal and regulatory environments,political rivalries and potential instability will affect the business.On a local level you have to consider the effects your operationsmay have on specific communities. All of this takes place within aglobal context of legislation, regulation and local and internationalpressure groups, where corporate governance and reputation is ofparamount importance.Understanding, monitoring and preparing for these risks can providea real competitive edge. Conducting a detailed and focused riskassessment for new investments can mean the difference betweensuccess and failure.
Business intelligence & investigationNew markets and business partners offer opportunities but alsopresent risks.Hidden agendas can easily derail the best plans and reputationscan be damaged and investment lost.Add in regulatory or government interference, corruption, criminalityand intellectual property abuse and it is even clearer that businessesneed to be fully aware of a wide spectrum of risks.Examine the business interests, commercial track records andreputation of potential business partners, employees and agents.
Information Security Not just about IT Security. It is a crucial element ofstrategic control and therefore a management issue,relies on the involvement of all levels of anorganization IT Security audits IT Penetration testing IT Security IT Policy and procedure Leak investigations Technical surveillance countermeasures
Business Continuity & Crisis ManagementGood crisis management gives your organization competitive advantage.Business continuity management is a holistic management process thatidentifies, in advance, the potential impacts of a wide variety of disruptionsto the organizations ability to function, allowing the organization to toleratethe loss of part or all of its operation capability.
Travel Security ManagementA tracking system to give you a view of where your travelersare and their scheduled trips, as well as a way to communicatewith them by phone, email or SMS.Pro-active notifications to travelersSMS notification of breaking crisesActive monitoring to oversee the safety of employees visitinghigh risk locationsNotification by phone when issues escalate within locations ofinterest
Security Arrangement –(Implement: The Voluntary Principles on Security and Human Rights)The VPSHR encourage privatecorporations to have consultationsand other appropriatearrangements with the securityforces of the host nation.These arrangements should be astransparent as possible. Thecompany should take the initiativeto sign a protocol agreement withthe government (including atprovincial level where relevant)concerning company support to thehost government, including itssecurity forces.This initiative will provide a bridgeto develop supporting securityarrangements and standardoperating procedures (SOP) withthe public security forces. Thesearrangements should include theVPSHR as a jointly agreedstandard, if possible.
BiographyJunison Zaib (53 years), born in PekanbaruWork History (1982 – Now)GM Security – Chevron, IndoAsia Business Unit, Jakarta (current)Manager IT Telecommunication & Network - Chevron, JakartaTeam Manager Manpower Planning Org Dev & HR Information Systems –Caltex Pacific Indonesia (CPI)Assistant Supt Commercial & Business Applications (CPI)Senior Project Leader IT (CPI)Education and TrainingInstitut Teknologi Bandung – Studi Pembangunan, Magister Teknik (Cum Laude)Ateneo De Manila University – Organization Development CertificationHoskyns, Bournemouth – UK, Project Leading and Quality Assurance CoursesIBM – USA, Systems, Data Base and Data Communication CoursesInstitut Pertanian Bogor, Fakultas Kehutanan
Abstract: Security and Risk Management Best PracticesThe world in which we operate grows ever more complex and many are driven to work in overtly hostile environmentswhere protecting people, assets and reputation is a real challenge. While delivering superior performance, all industryplayers are expected to operate in a transparent and socially and environmentally responsible manner.Dynamic threats and vulnerabilities should be controlled and managed along with business cycle. Business and security risksmust be analyzed onto a more objective basis and mitigated by implementing best practices ranging from physical securityto related ethics, professionalism and integrity promotion.Among practices such as:Physical SecurityPromote Ethics, Professionalism and IntegrityPolitical & Security Risk analysisBusiness intelligence & investigationInformation SecurityBusiness Continuity & Crisis ManagementTravel Security ManagementSecurity ArrangementGood risk management gives competitive advantage and equips your organization with a holistic management process thatidentifies, in advance, the potential impacts of a wide variety of disruptions to the organizations ability to function, allowingthe organization to tolerate the loss of part or all of its operation capability.