Body of Knowledge a valuable tool for industry
by Graeme Mickelberg
ASM's security risk expert Graeme Mickelberg has reviewed the recently published Security Risk Management Body of Knowledge, produced by the RMIA, with support from the Government and the private sector.
The aftermath of the September 11 attacks in 2001 and other subsequent attacks have resulted in increased uncertainty coupled with the realisation of the potential risks and consequences of terrorism. Governments in Australia have become very aware of the implications of the threat of terrorism and other security-related threats. As a consequence, Federal and State governments have in some cases legislated or encouraged businesses and other organisations to enhance their security.
Some guidance has been provided by governments to assist businesses to assess security risks; however many businesses lack the specialist expertise to deal with the day-to-day management of threats of which they have little or no experience. This situation has been further compounded by the lack of procedures of specific relevance to manage security.
Recognition of the need for a best-practice approach to managing security that can be implemented across businesses and organisations in the private and public sectors resulted in an initiative that has produced the Security Risk Management Body of Knowledge (SRMBOK). The objective of the SRMBOK is to improve the effectiveness of security risk management practices by providing a framework to formalise security risk management thinking using processes based on contemporary national and international practice.
The SRMBOK has been developed by the Risk Management Institute of Australasia Limited (RMIA) with funding from corporate sponsors and the Department of the Prime Minister and Cabinet. The SRMBOK was compiled by security practitioners, including principal authors Julian Talbot and Dr Miles Jakeman, and other practitioners who donated their time to prepare contributions that have been subjected to peer review.
The SRMBOK is based on principles that advocate an integrated approach to the management of security across the functional parts of organisations and businesses with the objective of fostering resilience. The SRMBOK model (see Fig 1.) consists of the following components:
- Practice Areas: This component refers to the management of security, including physical security, people security, information security and ICT security.
- Assets: This component relates to items, functions or processes that a business or organisation values and needs to protect.
- Knowledge Areas: This component addresses concepts, principles, experience and skills which security risk management practitioners need in order to effectively manage security risk.
- Competency Areas: This component refers to skill sets to qualify practitioners to enable them to effectively manage security risks.
- Activity Areas: This component identifies steps that make up the security risk management cycle. These steps are identified as intelligence, protective security, incident response, recovery and continuity.
- Enablers: This component refers to elements that are intended to facilitate the ongoing management of security risk as an enterprise-wide initiative. The elements identified include policies, regulation, training, education, operations, governance and resilience.
The SRMBOK is not intended to be proscriptive in terms of compliance; however it seeks to provide a generic practice-based approach that is intended to align with existing Australian standards, including AS/NZ 4360:2004 Risk Management and HB 167:2006 Handbook Security risk management and international standards, including ISO 31000 Risk Management which is due for release this year.
A positive feature of the SRMBOK is the intention to develop a common security risk management terminology, including explanations as to the context in which terms are used. A common security risk management terminology is fundamental to facilitating a common approach to security risk management, but the willingness of governments, businesses and other organisations to use common terms is likely to affect the degree to which the SRMBOK is accepted.
The SRMBOK handbook is supported by brief practical examples and it is intended the SRMBOK will be supplemented by a number of user’s guides that provide an insight to applying the SRMBOK. The guides are intended to address a range of areas, including access control, crisis management, intellectual property protection, pandemics and other areas. Given that most managers responsible for security are not security specialists access to the guides as necessary companions to the SRMBOK will be critical to the successful implementation of the SRMBOK.
Other than very large organisations or those businesses such as financial institutions whose business credibility depends on high quality security, most organisations do not have managers whose sole responsibility is security. Some of the concepts addressed by the SRMBOK are complex and their implementation will depend on managers being able to access training to provide them with the knowledge and skills sufficient to permit them to effectively apply the SRMBOK in context of their organisation.
The SRMBOK is a useful tool and the RMIA have recognised the need to continue to evolve the framework, particularly given the dynamic nature of the security environment. The RMIA and the people who contributed to the development of the SRMBOK have made a positive contribution to enhancing the management of security risks in Australia.
First published in ASM Jul-August 2008 edition.
About the author: Graeme Mickelberg is a security risk consultant. His business, Hydra Enterprises Pty Ltd, has national and international clients in the private and public sectors. Graeme can be contacted by email at hydraenterprises@telstra.com or on 0407 113 909.