|
President's Corner |
|
Dear Fellow SARMA Members,
SARMA is off to a fast start in 2012. As many of you are aware, we realized the long-held dream of creating a high-level advisory body earlier this month with the highly successful launch of SARMA's Advisory Council. The Council, to be chaired by SARMA's past Board Chair, Phil Lacombe, is intended to provide the Association with a source of strategic guidance and direction; improve our visibility across government, industry and academia; and help to attract new members and sponsors who share our desire to professionalize the discipline of security risk management and make meaningful contributions to public policy. To read more about the Advisory Council's launch, please see our piece on the subject later in this issue of The Risk Communicator.
At the same time, recent developments at the Department of Homeland Security (DHS) are sending mixed signals about the future of risk as a key element of decision-making, prioritization and resource allocation. Among these is the Department's decision to disband the Office of Risk Management and Analysis (RMA), which had been responsible for publishing documents like the DHS Risk Lexicon and Risk Management Fundamentals. As it stands, some of the RMA staff has now been reassigned to the Office of Policy in the Secretary's Office, with the remainder largely going to the Homeland Infrastructure Threat and Risk Analysis Center within the National Protection and Programs Directorate (NPPD). Even NPPD's own reorganization, which reportedly included the creation of a "risk management and analysis office," now seems to be on hold.
Conversely, the Federal Emergency Management Agency (FEMA) recently announced that it intends to combine most of its standalone preparedness grants into a single "National Preparedness Grant Program" in FY 2013. A vision document released earlier this month suggests that funding allocations for the new program are to be based on "prioritized core capabilities as well as comprehensive threat/risk assessments and gap analyses." Such an approach offers the potential for smarter, more targeted investments -- something SARMA has long supported. The devil, of course, will be in the details of the implementation, so more to follow on this...
Finally, we have been fortunate in SARMA's brief history to have retained our core team almost continuously from the beginning. Sadly, the time has now come to say goodbye to a member of that team. The March 2012 issue of TRC will be the last for Editor Avi Klein. As many of you know, Avi is only the second TRC editor, and for the past four years he has performed yeoman's work to ensure we produce a quality product each and every month. As he takes on new challenges in Chicago, I know you all join me in wishing him well. Thank you, Avi!
My best,
Kerry
Kerry L. Thomas
President
|
Events
| |
Advisory Council/Awards Luncheon a Great Success
On February 2nd, SARMA formally launched its long-anticipated Advisory Council with a well-attended luncheon at Washington's prestigious Cosmos Club. The luncheon also served as an awards ceremony for a number of recent SARMA award recipients.
SARMA is now in its fifth year of operation. The aim of the Advisory Council is to bring together leaders from across government, academia and industry to advise SARMA on its direction and needs as it prepares to enter its next five years of service.
The Council is chaired by Phil Lacombe, who recently completed four years of service as SARMA's Chairman. In his introductory remarks, Lacombe noted that senior leaders in the homeland security community "have charged us with ensuring that SARMA has a strategic path forward that continues to contribute even greater amounts to the success of the nation, to our national security and to global stability."
SARMA President Kerry Thomas called the event "a major milestone for SARMA." SARMA's new Chairman of the Board, John Paczkowski, noted that the organization and the nation as a whole are at a crossroads: "The threat continues to change, there's a period of federal retrenchment in terms of money being put into homeland security, and some very important decisions need to be made about where we're going to put precious resources." He concluded with the prediction that "security risk analysis is going to move to the forefront once again in terms of how the federal government makes those choices."
The luncheon, which was sponsored by PricewaterhouseCoopers and PMC Group, also served as an opportunity to formally present the Hon. David M. Walker, former U.S. Comptroller General, with the SARMA Excellence in Public Service Award he won in late 2011 for "his seminal role in elevating the use of risk management principles as a tool both for guiding the Nation's investments in homeland security and for evaluating their effectiveness."
In his remarks, Walker, founder and CEO of the nonprofit Comeback America Initiative, focused on the threat that high deficit spending and a growing national debt pose to economic and national security. He pointed to the need for better strategic planning across all sectors of government as key to making the right security decisions in the future, and noted that SARMA's role "is of critical importance" in the process, and in fact "is going to increase in importance, because government has grown too big, promised too much and waited too long to restructure."
As Walker put it: "We're going to have to make a lot of tough choices in the coming years over what we're going to do, how we're going to do it, at what level, and how we're going to measure success. We're going to have to realign in many, many different ways, and clearly value and risk have to be central to that process."
|
Analysis
| |
Operations Security (OPSEC) at a Crossroads: Part I
by Jack Emanuelson
When discussing Operations Security (OPSEC) in any depth, it is important to first point out that the acronym has taken on more than one meaning.There are, for instance, many companies with OPSEC in their company names that offer products which have little to do with the OPSEC five-step risk management process. Probably the most confusing application is operational security as an umbrella term for all security afforded to an asset. This paper, however, addresses operations security, which grew out of the Vietnam War, gained formal recognition in U.S. National Security Decision Directive 298 in 1988[1], and is essential to meeting today's expanded threats to national security and the private sector.
OPSEC is a five-step risk management process that focuses on only the most sensitive or critical information that, in the hands of an adversary, could limit success or give an adversary a decisive advantage. OPSEC follows the common risk management format but employs several unique steps:
1. Identify the critical information.
2. Analyze the threat.
3. Analyze vulnerabilities.
4. Assess risk and decide what actions, if any, are needed to bring risk to an acceptable level.
5. Implement leadership's OPSEC plan and supervise, implement and monitor change to the risk environment.
Critical information refers to specific facts about the assets under consideration. Such assets can include business/military objectives, other activities, facilities and equipment and people. Critical information in the hands of an adversary could cause failure or unacceptable consequences and has the potential to lessen the value of the asset.
Most everyone has a system of identifying critical information. For example, national defense information may be Top Secret, while business information may be Company Confidential. The first order of business is to identify this information through a detailed analysis of the threat, how the threat could potentially adversely impact assets, whether or not potential adversaries have the capability to execute the threat, and the information they must have to succeed. Even if an organization doesn't employ the full five-step OPSEC process, simply identifying and securing critical information in a safe or on an information system is a good security practice.
Analyzing the threat involves several activities. An organization needs to know what the threat means as it relates specifically to it and its assets:
1) Who is the adversary?
2) What is the adversary's intent and does it have the capability to achieve its target? Why is this person or group considered an adversary? Are there multiple adversaries? In a business environment, for instance, different competing companies may have their own objectives, each requiring a separate set of information held by the targeted organization.
3) Given the adversary's objective, what information held by the organization does the adversary need to carry out its intent?
Having developed a potential adversary approach that identifies the adversary, its intent and capabilities, and the information that it needs to gain its objective, the organization should express its concern as both whatever 'win' means to the adversary and what 'loss' means to the organization.
Analyzing vulnerabilities doesn't only refer to the ways an adversary might directly collect critical information, since the organization should have already identified this critical information and secured it. The next step is to look for OPSEC indicators that could allow an adversary to deduce the critical information. This is the crux of the OPSEC process. The organization determines if there is open-source information or observable activity that an adversary could use to piece together, interpret or infer critical information.
Identifying indicators of critical information is relatively easy for a military operation. Where the attack will take place, at what time, and with what resources and forces -- all are pieces of critical information that should have been classified and properly protected. But what about activities such as the logistics preparation for the battle? Are military planners giving critical information away as they communicate with and gather the troops, equipment and supplies? Are doctrine and procedures carried out the same way for each operation, thereby establishing patterns and enabling an adversary to predict the next move based on observing prior activities? In a business environment, is a company giving away the introduction of a new product by purchasing materials not previously used, or by openly advertising for new hires with unique research experience? The search for such indicators is what makes OPSEC a unique risk management process and separates it from routine security functions.
A vulnerability exists when an OPSEC indicator appears in open sources or is observable, and an adversary is then capable of collecting, processing and acting on the information. Indicators, for example, may exist on a web site, on an organization's or employee'sFacebook, LinkedIn or Twitter account, on an invoice showing a dramatic increase/decrease in purchases of a raw material or drug ingredient, or from the observation of increased manufacturing activity. When all indicators have been analyzed and their relevance to the critical information established, it is time to analyze how the adversary might collect the indicators -- and to begin thinking about how to stop this flow of information.
(As an aside, an organization doesn't always suppress all indicators. Instead, it might use an indicator to channel an adversary's decision-making process to its advantage. In the private sector, this control of indicators must meet legal requirements. In a military environment OPSEC might be part of the military deception plan, subject to a different, but definitive, set of policy requirements.)
Assessing risk is based on the preceding steps in the OPSEC process. To this point it has been the OPSEC analyst who has taken the tasking from leadership and conducted fact gathering and analysis. The results of this analysis must now be presented to leadership for decision. The OPSEC analysis team must present its conclusions and recommendations to leadership in a format that leadership can understand and act on. The OPSEC team recommends measures to lessen the risk and describes their anticipated effectiveness (i.e., risk reduction). Leadership then decides if the risk is acceptable to them or not. If the risk is unacceptable, leadership approves a course of action and an OPSEC implementation plan. It is important to note, however, that the OPSEC analysis team and leadership may view risk from different vantage points (e.g., the degree of risk might be judged low by an OPSEC analyst who considers threat, vulnerability and impact on equal terms, while leadership may be totally consumed by a fear of adverse impact).
Implementing the OPSEC plan is the last step in the OPSEC process. Implementation doesn't just happen -- someone must be given the responsibility and authority to carry out the plan. Further, the risk environment is often dynamic and must be continually monitored to determine if any of the risk components have changed: new adversaries; changes in adversarial intent or capability; critical information added or no longer critical; changed threat intelligence capabilities; new indicators or means of collecting them; and effectiveness of current OPSEC measures.
Jack Emanuelson is an independent contractor specializing in OPSEC and information assurance. He earned his BS in Business Administration from the American University, an MBA from George Washington University, and is a graduate of the U.S. Army Command & General Staff College. He previously occupied the David G. Boak Operations Security Chair at the National Cryptologic School. Jack is retired from the U.S. Civil Service and is a Lieutenant Colonel, AUS (Ret).
[Editor's Note: Part II of Jack Emanuelson's discussion of OPSEC will appear in the March issue of The Risk Communicator]
[1] The White House, National Security Decision Directive Number 298, National Operations Security Program, January 22, 1988.
|
Corporate Patron Profile: Secure Mission Solutions
| | Secure Mission Solutions, a
SARMA Silver Patron, is a trusted partner in delivering security-focused services and solutions to enable mission success. An end-to-end integrated security solutions provider, Secure Mission Solutions specializes in the electronic, information, communications, network, and cyber security domains. Headquartered in Reston, VA, Secure Mission Solutions has over 15 years of experience facilitating mission assurance through its core capability areas: (1) Cyber Security and Information Assurance; (2) Critical Infrastructure Protection; (3) Communications and Network Engineering; (4) Command & Control; and (5) Intelligence Services.
Dedicated to the mission of those that protect America and its citizens, Secure Mission Solutions is proud of the support it provides to a broad range of customers that includes the Department of Defense, Army Corps of Engineers, Department of Homeland Security, the Intelligence Community and various other government agencies.
Secure Mission Solutions personnel are subject matter experts employing a full suite of CND services in support of the High Performance Computing Modernization Program (HPCMP) Computer Network Defense Service Provider (CNDSP). Its engineers were instrumental in the development and management of the HPCMP Computer Emergency Response Team (CERT) and conducted 24x7 intrusion detection and incident reporting capabilities across the Defense Research and Engineering Network (DREN) and Secret DREN (SDREN). Responsible for the design, development, testing and maintenance of the third certified and accredited CNDSP, Secure Mission Solutions engineers are employed by the HPCMO to provide vulnerability assessment support; Information Operations Condition (INFOCON) implementation; Information Assurance Vulnerability Management (IAVM) support; network security monitoring and intrusion detection; attack sensing and warning; situational awareness; incident reporting, response and analysis; as well as CND training. Through their dedication and customer-oriented approach, Secure Mission Solutions personnel have been extremely influential in the continued growth and success of the HPCMP.
Secure Mission Solutions provides cutting-edge physical security solutions to a broad range of customers to ensure the protection of vital American infrastructure at home and abroad. In support of the Pentagon Force Protection Agency's (PFPA) Privilege Management Program (PMP), its technical experts developed HSPD-12, Federal Identity Credential Access Management (FICAM) and FIPS 201 compliant solutions, including the design, build and testing to enroll the 80,000-plus personnel of the Pentagon and National Capital Region (NCR) facilities. Secure Mission Solutions integrated HSPD-12 compliant CAC/PIV smart cards, local and national database card authentication, multi-modal fingerprint and iris biometric verification, as well as provisioning privileges for physical access, parking, visitors and vendor credential production. The company's Critical Asset Protection teams also provide physical and electronic security solutions to our nation's most critical assets such as iconic dams and hydroelectric facilities for the Bureau of Reclamation. In addition, Secure Mission Solutions is the primary contractor supporting the development and fielding of Integrated Commercial Intrusion Detection Systems (ICIDS-IV) by providing physical intrusion detection, access control and CCTV services for all Army sites requiring physical security controls.
In support of the US Cyber Command (USCYBERCOM), Secure Mission Solutions is providing state-of-the-art CND operations coupled with leading-edge knowledge of the global cyber threat domain. Its highly experienced IA analysts and incident handlers support the Host-Based Security System (HBSS) at the DoD Enterprise Operation level as well as Tier 3 Incident Handling within the USCYBERCOM Joint Operations Center (JOC) on a 24/7/365 schedule. Secure Mission Solutions also supports the J34 Media, Malware and Analysis Branch in conducting malware analysis in support of computer security incidents. This task includes malware analysis and exploitation of data from compromised systems in support of ongoing analysis. On a daily basis the company's analysts perform open and closed source research on emerging threats and vulnerabilities and develop and compile mitigation strategies related to emerging threats and vulnerabilities, as well as providing incident response and analysis findings. In addition, they perform CND analysis on recent events and strategic analysis of sophisticated attack patterns over the last year or longer.
To learn more, please visit Secure Mission Solutions' website.
|
Membership Information
|
|
SARMA'S 2012 Enhanced Membership Program
SARMA continues to support the needs of the security community by providing added value and keeping our membership rates as low as possible. In particular, we support federal, state and local government employees with a reasonable Government Member rate, and seek to encourage the education of students in the security analysis field by keeping the Student Member rate at an affordable level.
New in 2012, the enhanced SARMA membership program includes the following:
- Welcome letter and personalized membership certificate
- 10% discount on all event registrations
- An expanded event schedule
- Annual Conference
- SARMA Advisory Council meetings
- Networking socials
- Educational events
- Job fairs
- Webinars
- Policy forums
- Exclusive and free members-only events and webinars
- Board meetings, networking socials
- Annual meeting
- Monthly committee meetings
- Access to exclusive information
- Annual Conference speaker presentations
- Conference attendee lists
- SARMA member directory ("opt-in" only)
- Free digital subscription to partner organization newsletters
- Detailed calendar of third-party events of interest to the security risk community
- Opportunities to become involved in various SARMA committees and efforts benefiting the security risk community
Click here to join SARMA as one of our growing number of dedicated members, or contact Paula Copperthite, Director of Membership and Outreach, at paula.copperthite@sarma.org for more information.
|
Key Reports | | Public Safety Canada: Building Resilience Against Terrorism
A new report from Public Safety Canada sets forth the government's strategy for countering terrorism, with "building resilience" as the "core principle."
Get the report
FEMA: The State Of FEMA 2012
A new report from the Federal Emergency Management Agency lays out the agency's performance highlights from 2011 and notes that "the Fiscal Year 2013 budget request focuses on achieving success in one of DHS' core missions: ensuring domestic resilience to disasters."
Get the report
SIPRI: Maritime Transport And Destabilizing Commodity Flows
A new report from the Stockholm International Peace Research Institute presents "a comprehensive mapping and analysis of the ships involved in the clandestine transport of narcotics, arms and dual-use goods essential to the development of weapons of mass destruction."
Get the report
|
Jobs
| |
ABS Consulting: Junior Risk Analyst
ABSG Consulting Inc. is seeking talented professionals to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
ABS Consulting: Risk Analyst ABSG Consulting Inc. is seeking talented professionals to provide technical and management consulting services to the Federal Government, specifically in the area of homeland security risk analysis. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, and risk modeling.
Read the notice
DHS: Operations Research Analyst
DHS National Protection and Programs Directorate is seeking applicants to provide technical support and subject matter expertise for execution of strategic quantitative risk assessments. Responsibilities include developing tailored risk and decision analytics, support tools and technical assistance; advancing risk and decision analytics, support tools and technical assistance, and promoting effective homeland security risk communications and enhance risk communications techniques.
Visual Risk Technologies: Safety and Security Risk Consultant
Visual Risk Technologies is seeking applicants to contribute to the firm's creative approaches and proven software solutions that are in use by a variety of corporate and government clients in the homeland security, transportation, energy, and chemical industries. The position will provide expert guidance to technical staff and conduct independent research and analysis culminating in written reports and oral presentations.
FEMA: Program Analyst
FEMA is seeking applicants to, among other tasks, conduct research and performs analytical tasks for risk analysis, risk management, and critical infrastructure protection initiatives and programs. The successful applicant will also provide assistance for obtaining, analyzing, and processing data related to critical infrastructure and all-hazards risk in support of assessments and analyses.
Read the notice
|
|
|
|