What should a public agency or organisation consider when analysing its operations in relation to critical assets, threats and consequences?
Identify critical assets
Protective measures tend to be decided upon at a far too early stage, and without thorough analysis of what exactly needs to be protected. The heart of the matter is: what areas of our operations can be identified as critical assets?
Decide what consequences would be unacceptable
National protective security work focuses on the prevention of espionage, sabotage and terrorism. Such crimes could disrupt society as they may have serious functional, political, economic or social consequences. In some cases, the scope of disruptions, e.g. in time or extent, is such that they can be regarded as unacceptable. Power cuts, unreliable IT systems or telecommunications are examples of this. In other words, the potential consequences of an attack determine how critical a particular operation or facility is.
It is important to describe the negative consequences of various types of attacks, whether to the agency or organisation in question or to the nation (e.g. through disclosure of classified information). The purpose of a consequence analysis is to assess the criticality of various areas of operation and to determine which consequences would be unacceptable and would therefore have to be counteracted.
One important question to answer is whether theft or manipulation of information, or sabotage against a particular area of operations, could have consequences of significance to national security.
Once critical areas of operation have been identified, the next step is vulnerability analysis of these areas. This serves to identify and analyse vulnerabilities that may be exploited by an adversary.
One problem the Security Service sometimes comes across is the presence of serious vulnerabilities resulting from a failure to identify areas that should be protected. This could have serious consequences. The Service has seen instances where agencies have failed to identify various IT systems as critical and outsourced them without placing sufficient demands on security.
It is difficult to provide general advice on assessing vulnerabilities as it is often necessary to balance function against protection level. The most important thing, however, is to be aware of the pros and cons of decisions and of ensuing risks.
Plan long-term protective security measures
Measures to handle vulnerabilities in critical assets fall into five different areas:
- physical security,
- information security,
- security screening (protection against insiders)
- protective security training, and
- protective security inspections.
To achieve maximum effece, protective measures in these areas must complement each other. A protective security system is of course most effective if incorporated from the start.
In some areas, such as physical security, timing is crucial as protective measures have to be incorporated into the construction of the facility. Although protective measures can always be added afterwards, this seldom provides the same degree of security and also tends to be less cost effective. The same goes for electronic protective security measures and protection against insiders when recruiting staff (security screening).