Security Risk Assessment for Transport Operators - Department of ...

More documents

Recommendations

Info

1.2.2 MethodologyWhen identifying critical assets, you should consider grouping elements under the headingsof people, information and physical assets. Thought should also be given under these headingsto identifying key dependencies.Table 1: Examples of critical assetsOperator assetsDependenciesPeople Drivers/pilots, CEO, technical experts Supply of contractorsInformation Electronic databases, records Third-party hosted servers,telephone networkPhysicalRolling stock, signal boxes,key stations/ terminals, depots,navigation beaconsSupply of power/ fuel, availabilityof spare parts1.3 Identifying sources of risk1.3.1 What are sources of risk?Traditionally referred to as ‘threats’ within a security context, you should seek to identify both internaland external potential sources of risk to your organisation.When identifying sources of risk, it is important to look for those that have the potential to affectthe organisation. At this stage, you do not need to identify the possible impacts.For the purpose of this guide, sources of risk are defined as:Internal and external threats which have the potential to affect the organisation’s critical assets.Optional advanced technique:For more complex operations, afull criticality assessment should beconsidered to provide ratings and togain a more in-depth understandingof your organisation’s critical assets(found in Appendix A.1 on page 31).10 Security Risk Assessment Guide
Sources of security risk can be looked at both in terms of the potential perpetrator and method(such as the threat from an arson attack [method] by animal rights activists [perpetrator]). To avoidover complicating the assessment and to incorporate the threat from a range of groups, the methodis often however referred to on its own (i.e. the threat from an arson attack).Table 2: Example sources of riskPotential sources of riskarson cyber attack armed assaulthijacking sabotage rioting and civil unrestsurveillance suicide bomber car bombchemical attack biological attack radiological attackpiracy package bomb hostage taking1.3.2 MethodologyWhen identifying sources of risk, it is useful to think both strategically and operationally to ensurethat all potential sources are considered. You may want to refer to the list of critical assets identifiedin Section 1.2 to assist the process.Table 3: Suggested methods for identifying sources of riskMethod Detail ExamplePools ofexpertsPastknowledgeStaffHorizonscanningThreatexpertsA collection of expertsfrom different fieldsA review of past incidentsto identify previouslyrealised threatsReviewing staff reportsof suspicious activityAnticipating future threatsHarnessing theknowledge of subjectmatter expertsFor a rail company, a representative groupmay consist of a driver, manager and engineerReviewing historical attacks against other vesselsglobally, may assist a ferry operator identify potentialthreats that may be enacted domesticallyEncouraging depot managers to report anythreats they encounter, will assist in identifyingpotential trendsA major international event such as a G20 Summit,may bring additional threats not previously presentCyber attack may be identified as a threat, butexperts will be able to drill down to establish furtherdetailed elements such as malware or virusesWorkshop Group discussion At a business unit level, participants may wish toconsider which threats may affect their ability todeliver on the unit’s key objectivesOptional advanced technique:For companies looking to gaina better understanding of theirsources of risk, a more thoroughthreat assessment may be needed.Further detail on conducting athreat assessment can be foundin Appendix A.2 on page 33.Example 1: Identifying sources of riskWhilst undertaking a horizon scan for upcoming events, a bus company notes that asoccer match between teams from countries with historical political tensions is due to takeplace at a location serviced by the operator.As relations between the two countries have recently deteriorated, an extremist group inAustralia associated with one team has threatened violence against fans from the other.The company will be transporting the threatened team’s supporters. As a result, ‘politicalviolence’ is identified as a source of risk which has the potential to affect the bus company’scritical assets.Security Risk Assessment Guide 11
Page 2 and 3: This publication is copyright. No p
Page 5 and 6: The documentPurposeThere are a wide
Page 8 and 9: Part 1Risk identification8 Security
Page 12 and 13: 1.4 Identifying potential areas of
Page 14 and 15: Part 2Risk analysis14 Security Risk
Page 16 and 17: Table 4: Consequence categoriesCate
Page 18 and 19: Example 4: Rating consequenceA larg
Page 20 and 21: Example 6: Rating riskA bus company
Page 22 and 23: Part 3Risk evaluation22 Security Ri
Page 24 and 25: 3.3 PrioritisationTo determine with
Page 26 and 27: 26 Security Risk Assessment GuideNe
Page 28 and 29: Table 8: Sample risk registerIdenti
Page 30 and 31: 30 Security Risk Assessment GuideAp
Page 32 and 33: Table 9: Assessing the criticality
Page 34 and 35: Table 11: Example threat matrixInte
Page 36: For further information in yourlang

Security Risk Assessment for Transport Operators - Department of ...

Create successful ePaper yourself

Delete template?

Save as template?