Session: 01-02-02: Strategic Risk Reduction

Paper Number: 134028

134028 - Understanding Security Program Risk Assessments Through a Secure Asset Framework 

Abstract: 

The energy industry is responsible for critical infrastructure that keeps individuals, public services, and private industry functioning. The industry requires robust security controls for protecting personnel and critical infrastructure in a constantly evolving landscape. As businesses automate processes and increase operational efficiency, security programs need to protect many more interconnected assets than ever before. Security programs need to be flexible enough to manage evolving physical and cyber risks, vulnerabilities, and threats to a company’s complex assets, while meeting regulatory compliance requirements. By establishing a robust security risk assessment framework, a company can be prepared to anticipate future security challenges in the current threat landscape. This proactive stance enables safe and sustainable business growth in an interdependent and technologically connected world.

Security Programs manage both physical and cyber risks that are constantly changing and evolving as threats become more advanced. Areas of interest for an organization involves protection of physical assets and personnel from crime, harm, and vandalism. Politically motivated or terrorist attacks are a constant threat. Security risks are constantly evolving and adapting, making them unique compared to previous industry security threats. Identification of critical security risks enables achievement of business objectives, integrated planning, and aligns with a company’s management system.

An organization’s cyber assets are constantly targeted for breaches and attacks despite thorough efforts to implement robust cybersecurity measures. An effective response to this challenge lies in the development of a Security Program that is both adaptable to changing circumstances and rooted in a solid security risk assessment framework.

Managing security risks is a careful balance of securing assets and maintaining compliance without hindering business operations. Security operations rely on a myriad of standards, policies, processes, documented or undocumented data, and limited resources to handle a changing risk environment.

An understanding of all the nuances of security risks is necessary to manage potential threats and vulnerabilities. This is implemented by developing a clear understanding of the company's asset inventory and the potential physical and cyber threats, vulnerabilities and risks each asset may face. With this foundation, regular reviews can ensure that the security measures in place continue to be effective against new threats.

Presenting Author: Lisa Zhao Applied4Sight

Presenting Author Biography: Lisa Zhao is a distinguished professional with a Master's and Bachelor's in Electrical Engineering. As a Certified Information Security Manager accredited by ISACA, Lisa brings a wealth of knowledge to her role. Her membership with APEGA in Alberta further highlights her commitment to professional excellence in engineering.
Currently, Lisa excels as a Systems and Business Advisor, where her specialization lies in developing, complying with, and auditing both Physical and Cyber Security Programs. Her implementation of Integrated Planning and comprehensive Management Systems are central to her approach. It ensures that security programs are not only effective in managing assets but also adept at addressing threats, vulnerabilities, and risks. Lisa's skills and insights make her an invaluable asset in the realm of security program management, where her contributions have significant impacts on how clients create compliant systems that work for their organization.

Authors:

Lisa Zhao Applied4Sight
Jamie Nairn Applied4Sight
Mark Jean Applied4Sight