Security Risk Assessment for Transport Operators - Department of ...

More documents

Recommendations

Info

Example 4: Rating consequenceA large road-haulage company that transports livestock has identified a riskfrom, ‘Truck experiences sabotage by animal rights activists, resulting indamage to vehicle.’The company has a number of controls already in place for the security of vehicles,including robust locks and procedures to check the vehicle after each stop.If the risk is realised, (taking into account current controls and assuming amost plausible worst case scenario), the company has identified that therewill potentially be financial and operational consequences:• Financial – replacement cost of truck ($150,000)• Operational – minor reduction in operational service levelsThe company uses Table 5 on page 17 and as such, the consequencesare rated as: ‘moderate’ for financial and ‘minor’ for operational.When determining the overall level of consequence for the identified risk,the highest level is taken. The consequence rating for this risk is thereforelevel ‘3’ (moderate).2.3 LikelihoodYou now need to work out the likelihood of the identified risk occurring. Primarily this will be achievedby reviewing the source of risk (see Section 1.3 on page 10), however the vulnerability of the asset itselfmay also be taken into account (including consideration of the current controls in place to protect it).The table here shows how likelihood may be rated and contains a range of benchmarks that can beused. While some, or all, of the criteria below might be suitable for your organisation, you may needto tailor these to suit your requirements.Table 6: Rating likelihoodOptional advanced technique:Undertaking threat and vulnerabilityassessments (outlined in Appendix A‘Further Techniques’, page 30), mayhelp you gain a better understandingof the probability of the risk occurringand the current controls that are inplace to protect an asset.Rating Descriptor Probability FrequencyA Almost Certain Greater than 95% Occurs every monthB Likely From 65% to 95% Occurs once every few monthsC Possible From 15% to less than 65% Occurs once every yearD Unlikely From 5% to less than 15% Occurs once every 10 yearsE Rare Less than 5% Occurs once every 100 yearsWhen determining likelihood, you should consider both previous occurrences and futureconsiderations. Statistically for example, an arson attack against a train operator’s depots may occuronce every year and therefore attract a ‘C’ (possible) rating. On the other hand, a ferry operator mayhave never before been affected by civil unrest but due to a heated political environment, there is a70 per cent future chance of a riot occurring at the operator’s shore facilities, therefore attractinga ‘B’ (likely) rating.18 Security Risk Assessment Guide
Example 5: Rating likelihoodA freight train operator has identified a risk as, ‘The payroll system is affected by acomputer virus, resulting in the loss of employee information.’While this type of attack has never before happened to the company, attacks have beenseen against other organisations and the government is warning of a heightened threatfrom computer viruses against infrastructure operators.Given this information and taking onboard security measures that are already in place(‘current controls’), the operator’s risk committee considers that there is a 20 per centchance of a computer virus affecting the payroll system, which would result in the lossof employee information.Using Table 6 on page 18, the likelihood of the risk occurring is therefore ratedas ‘C’ (possible).*Note: a computer virus can form part of a wider targeted cyber attack, as identified in Table 2 on page 11.2.4 Rating riskOnce you have identified the appropriate levels of consequence and likelihood for the risk, younow need to allocate an overall risk rating. As with both the consequence and likelihood tables,you can alter the risk rating matrix to better represent your organisation’s individual requirements.Use Table 7 to establish the overall level of risk by cross referencing the ratings for consequenceand likelihood:Table 7: Rating the riskLikelihoodConsequenceInsignificant Minor Moderate Major Catastrophic(1) (2) (3) (4) (5)Almost Certain (A) Significant High High Extreme ExtremeLikely (B) Medium Significant High High ExtremePossible (C) Medium Medium Significant High HighUnlikely (D) Low Medium Medium Significant HighRare (E) Low Low Medium Medium SignificantSecurity Risk Assessment Guide 19
Page 2 and 3: This publication is copyright. No p
Page 5 and 6: The documentPurposeThere are a wide
Page 8 and 9: Part 1Risk identification8 Security
Page 10 and 11: 1.2.2 MethodologyWhen identifying c
Page 12 and 13: 1.4 Identifying potential areas of
Page 14 and 15: Part 2Risk analysis14 Security Risk
Page 16 and 17: Table 4: Consequence categoriesCate
Page 20 and 21: Example 6: Rating riskA bus company
Page 22 and 23: Part 3Risk evaluation22 Security Ri
Page 24 and 25: 3.3 PrioritisationTo determine with
Page 26 and 27: 26 Security Risk Assessment GuideNe
Page 28 and 29: Table 8: Sample risk registerIdenti
Page 30 and 31: 30 Security Risk Assessment GuideAp
Page 32 and 33: Table 9: Assessing the criticality
Page 34 and 35: Table 11: Example threat matrixInte
Page 36: For further information in yourlang

Security Risk Assessment for Transport Operators - Department of ...

Create successful ePaper yourself

Delete template?

Save as template?