The most important aspect of protecting any site or asset is to define the operational requirements. Carrying out the operational requirements (OR) process will allow both clients and consultants to decide on the security measures that are both proportional to risk and required investment.
What is an Operational Requirement?
Operational Requirements fulfil the task of assessing, developing and justifying measures needed to protect assets against security threats. OR is a structured process to Outline & Assess security risks, identify risk Mitigation Options, Develop a strategic security plan (SSP) of how the needs of an organisation will be met and finally; assist in building a Business Case for investing in the over all development and delivery of the proposed plan.
The process of operational requirement planning is separated into two levels; Level 1 consists of the planning & assessment stage and should be carried out an organisations personnel or a dedicated security consultant during security auditing. Level 2 OR is used to translate the information from level 1 into a detailed plan of individual security measures and should be provided to project teams or an individual responsible for the delivery of the measures. A well-compiled level 2 Operational Requirements report can also be used for costing or tendering options.
- It can be used to assess, justify and develop security measures against specific threats
- The process is very intuitive and uses the standard risk assessment formula; meaning easier and faster completion
- All assessments are able to be formatted to fall in line with current risk assessments; leading to closer integration with non-security departments.
- Due to the nature of the process; updating and reviewing past assessments becomes a simple process leading to security evolving with dynamic threats
Level 1 Operational Requirements Process
Level 1 is broken into five steps
|1||Identify Assets||Identify all assets that need to be protected. Time should be taken to prioritise the assets highlighting those that are critical.
|2||Identify Threats||- Who is a threat?
- Why are they a threat?
- What is their target, goals and capabilities?
- Is your organisation vulnerable to the threat? and how?
|3||Assess the Risks||Which risks should be focused on?
What risks does the organisation face?
|4||Identify Risk Mitigation Options|
(Develop Strategic Security Plan)
|What options are available?
What are possible impacts from implementation?
What will the SSP cover?
What integration options are available?
|5||Review Implementation Effects||Is the organisations capable and/or ready for implementation of the SSP?
Step 1: Identify Assets
When identifying assets time should be taken to address each with a priority structure. Within any organisation, there will be critical and non-critical assets that will require protection. However; the levels of required protection should be defined to reflect the criticalness of the asset itself. This step in the OR process is important as it will formulate the argument for where most resources should be directed.
Step 2: Identify Threats
Acknowledging the threats posed to an organisation and how vulnerable the organisation is to these threats is the base line of any Level 1 OR. When identifying threats; you should also be looking to identify potential instigators, whether internal or external to the organisation’s structure. An example of each could be Internal – Disgruntled Employee & External – Protestor.
Sources of intelligence may provide you with information regarding instigators and can come in many forms, such as colleagues, police or intelligence services, members of the public or security contractors.
During the treat analysis, you can use three points to prove as a tool to ascertain capability and intent:
- Why are they targeting the organisation?
- Which assets are likely to be targeted?
- How would these targets be attacked?
Other aspects that need to be taken into consideration are things like i) National Threat Level, ii) Previous threats, iii) Previous incidents, iv) Changes in threat, v) Potential future threats.
Step 2 should be continuously reviewed even external to any OR procedure in order to maintain focus on dynamic threat environments.
Step 3: Assess the Risk
The basis of the risk assessment should be taken from the view point of a worse case scenario and should look at the successful attack or completion of any threat upon an individual asset.
Protection categories fall into four headings:
People – Staff, visitors, contractors, customers
Physical Assets – Buildings, Contents, Equipment, Materials
Information – Electronic, Paper or Both
Processes – Any aspect of operational process and/or service required to support the organisation
It is impossible to put these categories into a universal critical order as each organisation will have different demands; however, no matter the order; these areas should be continually reviewed as the organisation adapts and grows.
Step 4: Identify Risk Mitigation Options
Once the previous steps have been clarified; all that remains in the development of the level 1 OR is to matrix the information and evaluate different mitigation options for each asset + threat x risk combination.
During the mitigation planning; other factors will also need to be equated such as financial cost against benefit. It should always be a priority to remove a threat if possible, however much like a risk assessment in Health & Safety, reduction of the risk to an accepted level can often be more sound; especially economically.
So let us take a look at potential mitigation outcomes:
- Remove the Threat – Most desirable but can be resource demanding
- Reduce the Vulnerability – Often through operational and/or physical measures
- Reduce the Impact – This outcome negates prevention of an attack and concentrates on putting plans and resources in place to recover from an attack if it were to happen
Upon setting out a base of options for each threat; scenario analysis should be carried out to explore the suitability of them. During the analysis, any options that fail to be viable should be dropped in favour for a core of robust and suitable options. The core mitigation options can then have basic costing analysis generated for each and the information is collated into a strategic security plan (SSP).
An SSP should include:
- A breakdown of components involved in the mitigation option
- How the option will be implemented
- How the option will be audited and measured post implementation
Further information can also be included such as timescales, suggested measures during implementation and effects on non-essential assets.
Step 5: Review Implementation Effects
The final step is to analyse the effectiveness of the proposed SSP and define how it will both migrate into the organization’s current measure and also what possible impacts may be a result of the implementation.
Initially, the SSP should be used to reality check the feasibility of the chosen mitigation options and secondly; to check that the operational capabilities are in place to ensure a smooth implementation.
In a future article, we will look at the Operational Requirements matrix and explore how to put level 1 into action.
Did you read our article about Penetration Testing the Old Fashioned Way?