Security Risk Assessment for Transport Operators - Department of ...

More documents

Recommendations

Info

Table 9: Assessing the criticality of an assetMost plausible worst case impact from loss of assetOperational Health and Safety Financial ReputationalExtremeLoss of ability to deliverthe majority of services forover one monthSingle ormultiple fatalitiesExtreme financial lossto the organisation e.g.more than $2mExtreme negative media coverageand public outcry lasting longer than amonth; negative public comments by aministerCriticalityHighSignificantLoss of ability to deliverthe majority of services forup to one monthLoss of ability to deliver asignificant level of servicesfor up to two weeksSevere injuries tomultiple personnelInjuries requiringhospitalisationMajor financial loss tothe organisation e.g.$501k – $2mModerate financial lossto the organisation e.g.$101k – $500kExtensive negative media coveragelasting over a number of weeks;sustained negative state levelpolitical discussionSignificant negative media coveragelasting for several days; negative statelevel political discussionMediumSome minor reductions inoperational service levelsInjuries requiringattention bya medicalprofessionalMinor financial loss tothe organisation e.g.$10k – $100kMinor negative media coveragelasting for single day; negativelocal council discussionLowNegligibleoperational impactInjury requiring onlyminor first aidInsignificant financialloss to the organisatione.g. less than $10kInternal issue only, no scope for mediainterest; negative customer feedback32 Security Risk Assessment Guide
Example 10: Conducting a criticality assessmentAssetA local ferry company has one pier at each end of its only route, with noalternatives identified.Impact from worst case scenarioThe most plausible worst case scenario is complete physical loss of the pier, whichwould lead to services being terminated for at least two months.MethodologyThe company uses Table 9 to assess criticality and rates as ‘extreme’, the loss of anyasset or dependency which leads to a complete cessation of services for at least onemonth (operational).The criticality of each pier is therefore rated as ‘extreme’.As the company treats anything rated as ‘high’ or ‘extreme’ as a critical asset,each pier is added to the list of critical assets.The company’s criticality assessment now states:AssetImpact from worstcase scenarioCriticalityratingCriticalasset?PierTermination of services for aperiod of at least two monthsExtremeYesA.2 Conducting a threat assessmentUnderstanding the composition of threats and allocating them a rating, can be of substantial usein gaining a deeper understanding of the overall threat environment in which you operate. A morein-depth knowledge can be of benefit in the later stages of the risk assessment process, particularlyin establishing the likelihood of risks and prioritising.For the purposes of this document:Threat is determined by assessing intent and capability.Table 10: Intent and capability descriptorsOptional advanced technique:For smaller operators, identifyingindividual sources of risk may beall that is required. For others,gaining a greater understandingand rating factors that drive thethreat may be desirable.IntentCapabilityDetailFocuses on an individual or group’smotivation and objectives.Considers an individual or group’sknowledge, skills andaccess to resources.ExampleTo take vengeance on an organisationfor previous actions (such assupporting a particular cause).An insider’s knowledge of securityprocedures, access and ability to usea range of firearms.In order to rate the threat, the intent and capability of the attacker should be assessed thencross-referenced to determine a threat rating.Security Risk Assessment Guide 33
Page 2 and 3: This publication is copyright. No p
Page 5 and 6: The documentPurposeThere are a wide
Page 8 and 9: Part 1Risk identification8 Security
Page 10 and 11: 1.2.2 MethodologyWhen identifying c
Page 12 and 13: 1.4 Identifying potential areas of
Page 14 and 15: Part 2Risk analysis14 Security Risk
Page 16 and 17: Table 4: Consequence categoriesCate
Page 18 and 19: Example 4: Rating consequenceA larg
Page 20 and 21: Example 6: Rating riskA bus company
Page 22 and 23: Part 3Risk evaluation22 Security Ri
Page 24 and 25: 3.3 PrioritisationTo determine with
Page 26 and 27: 26 Security Risk Assessment GuideNe
Page 28 and 29: Table 8: Sample risk registerIdenti
Page 30 and 31: 30 Security Risk Assessment GuideAp
Page 34 and 35: Table 11: Example threat matrixInte
Page 36: For further information in yourlang

Security Risk Assessment for Transport Operators - Department of ...

Create successful ePaper yourself

Delete template?

Save as template?