Modern Concepts of Security

CONTENTS

Dedication

Preface

Acknowledgments

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 16

Chapter 17

Chapter 18

Chapter 19

Bibliography

Appendices

Dedication

To the security operatives who lost their lives in the bomb blast during the country’s 50th Anniversary celebration at Abuja, Nigeria with other civilian victims who paid the ultimate price with their lives in that unpleasant incident on October 1, 2010.

And

Security personnel worldwide who die on active service due to lack of proper on-the-job training

Preface

I have been associated with the security operations at various levels of jurisdictions from the National security policing (covert operations) to the Industrial/Commercial security setup; to Corporations proprietary security practice and supervision over the past three decades. In this stretch, I have come to be conscious of the vital necessity for comprehensive documentation of security and safety archetypes for the study of this unique profession in which reference materials for developing core and universal curricula for training or self improvement of security operatives are hard to come by. Mainly because most law enforcement agents or persons charged with security managements—Law enforcement officers; Security Directors, Fire Safety Directors, the police and even Contract Security firms have hardly come to terms with the professional demands of this specialized professional calling which has assumed the centre stage of global respect of the present-day.

It is with these concerns that this book is designed to be a working companion to personnel and agencies in the security professional vocation along with students of peace and conflicts studies; criminology and security studies—the Armed forces personnel together with other national security agents (DSS, DIA, NIA, NAFDAC, NDLEA, NEMA etc.); the Para-military (Police, ICPC, EFCC, Customs & Excise and Immigrations departments, FRSC, NCDC, NEMA and a host of others).

In essence, modern security outlook incorporates the Human Security schools of thought which is all about the practice of holistic and global security that is a shift from the traditional conception of national security (a state-centred approach) to focus on the wellbeing of individuals, which is yet to be cultivated in the African continent resulting in enduring problems of disease, poverty, security adversities, violence and insurgences, human rights abuses and civil strives.

Besides, not only are security practitioners disappointingly motivated in this part of the world, public security awareness is very poor. People over and over again meet with difficult challenges that are commonly attributable to the failures and helplessness of the occupational establishments and governments to match the ever more sophistication of societal crimes that frequently the security enforcers are the obscene victims that sacrifice their precious lives due to lack of technical and procedural know-how on the job.

For this reason, this professional security guidebook is designed to offer sound basic knowledge for researchers, security practitioners and students in fields of environmentalism, emergency management, security/conflicts studies, drug law enforcement, proprietary and contract security practice and supervision as well as for individual reading to boost security consciousness of the entire human race. If security studies is new to you, the following broad scope and many more will be comprehensively treated.

68251.jpg The meaning of the terms security and safety

68254.jpg Risk assessment with the varieties of security and safety systems.

68256.jpg What comprise security programs and how they can be successfully managed

68258.jpg Measures to be adopted to guarantee national security through the holistic human security approach.

68260.jpg The Secret service and Intelligence Operations

68262.jpg Use of intelligence services for detecting or pre-empting and routing security threats

68264.jpg Deployment of counterintelligence services or secret policing to shield national interest from internal/external threats.

68266.jpg Espionage and subversions under purview of classified information protection

68268.jpg Classified sensitivity of information and information integrity security

68270.jpg Global food insecurity and assessment of malnourishment based on contemporary food availability, accessibility and affordability inferences

68272.jpg Health security & emerging infectious diseases

68274.jpg The environment and environmental security issues

68276.jpg The impact of climatic change and environmental effects of global warming especially in consideration of sea level rise and emerging pervasive flooding phenomena

68278.jpg Evaluation of economic security as footings of inimitable support for nation’s human capital/resource development

68282.jpg Security governance and change management

68284.jpg Civil disorders and terrorism in the modern sagacity of violence

68286.jpg Forms of disasters and disaster management procedures relative to planning, mitigation and preparedness for recovery of critical infrastructure vital to survival of natural or human-induced disaster communities.

68288.jpg The types of emergencies that are likely to occur and how to establish or implement and maintain a methodical Contingency Plan to effectively handle them.

68290.jpg Emergency management situational guidelines

68292.jpg How to write security instructions and communicate the security and safety program effectively to security staff and higher authorities.

68294.jpg The laws, codes and standards that are the framework of security and safety.

68296.jpg Narcotics, drug law enforcement and administration, and the adverse consequences of substance abuse on the society

68298.jpg Public relations in how to effectively interact with other law enforcement and security agencies and authorities etc.

If however, for want of space all these topics are not comprehensively touched in this Book, they will be adequately dealt with in subsequent volumes. The reference volumes afford abundant valuable materials on modern concepts of security which can be adapted, modified, rejected or used for the reader’s own purposes. I have endeavored to avoid errors, both of omission and commission and will be glad to correct in future editions any inaccuracies that are brought to my attention. I therefore entrust this book to the kind consideration of security practitioners and managers in general, especially the certified national and international security and law enforcement professionals. I hope that the contents will be of material benefit to the entire security community because it is only when knowledge is applied specifically to the needs of a particular skill that it becomes of true value. Therein lays the reader’s part.

James O. Akpeninor

+2348032396800

jamesakpeninor@gmail.com

www.ohwosco.com.ng

Acknowledgments

The following have all contributed in part to my experience, learning, and understanding the world of security and safety:

68299.jpg The Nigeria Police force (NPF), particularly the Police Detective College, Enugu-Nigeria

68302.jpg The defunct Nigeria Security Organisation (NSO)

68304.jpg The Post & Telecommunications Department cum Nigerian Telecommunications Limited (Security & Investigations Department), with its sound standards and training materials for security and crime investigation professionals as well as the International Institute of Security, with its certification program for security professionals throughout the world

68306.jpg The American Society for Industrial Security and its Certified Protection Professional program and

68309.jpg Lastly but recognizably not the least of all is the National Open University of Nigeria (NOUN).

Additionally, there have been many wise security managers, security and safety professionals, law enforcement personnel and friends from whom I have had the privilege of learning over the years.

Specifically, I would like to acknowledge:

68311.jpg Elder Wash Nwachukwu (my former boss, uncompromising helpmate and good friend) who reviewed this work; a great sounding plank for ideas and security expertise.

68314.jpg Barrister Onuora Ukaejiofo for giving much of his time and know-how to painstakingly make inputs, reviewing materials of this book and sundry advice on how to administer and cope with the security demands as Security and Investigation Managers during our past employment in the Nigerian Telecommunications Ltd (NITEL).

Chapter 1

Introduction

In his Leviathan (1651), the English philosopher Thomas Hobbes assigned utmost importance to organized society and political authority. He declared that human life in the state of nature (apart from or before the institution of the civil state) is solitary, poor, nasty, brutish and short and that it is a war of all against all. People accordingly seek security by entering into a social contract in which each person’s original power is yielded to a sovereign, who regulates conduct. This classical conjecture in affairs of the state takes for granted that human beings are malevolent, hence there is need for a strong state to repress them. Then again, Hobbes contends that if a sovereign does not provide security (law and order) and is overthrown by the people, they revert to the state of nature and then may make a new contract. Hobbes’s doctrine with reference to the state and the social contract influenced the notion of another English philosopher John Locke; who quite in contrast, maintained in his Two Treatises on Civil Government (1690) that the purpose of the social contract is to reduce the absolute power of authority and to promote individual liberty.

That is to say, the concept of security does not only covers a social contract, but a very wide field that in consequence can be concerned with national security, food security, security of lives, security of properties, economic security, environmental security, information security, guarantees and performance/bail bonds, security for loans etc. Each of these different dimensions of security is concerned with security in a particular subject or field. National Security being the security of a country which occupies a geographic area of the earth’s surface, food security being a propos of the adequacy of food supplies, as health security is with regard to a country’ food adequacy for the component states, city et cetera, each of which covers a particular part of the earth’s surface and so on. Security in terms of safety from harm is an expression that has different dimensions in psychology, public safety, defense and military discipline as well as in information communication technology (ICT). In finance, a security is a document in lieu of an investment.

Security concerns the provision of information on:

68986.jpg Personal security as a basic human need and a basic reason behind society, (see Motivation—Frederick Hertzberg proposed the Motivation-Hygiene Theory, also known as the Two factor theory (1959))

68989.jpg Provisions of international law designed to assure peace and security in International Relations.

68991.jpg Government agencies concerned with national security (see Central Intelligence Agency; Federal Bureau of Investigation; KGB; National Security Council; State Security Service).

68993.jpg International agencies and alliances concerned with security issues (see United Nations; Warsaw Pact; Commonwealth of Nations; African Union; Organization for Security and Cooperation in Europe).

68995.jpg Information security, (see Computer Security; Cryptography; Data Encryption Standard; Firewall)

68998.jpg Security for loans, (see Collateral; Credit; Exchange

69000.jpg Guarantees such as bail bonds, fidelity bonds and performance bonds, [see Bond (law) ]

69002.jpg Travel and transportation security, (see Aviation security)

69004.jpg Property security, [see Key (mechanics); Lock (fastening device); Fire Fighting in physical security]

Definitions

Security is a noun derived from the Latin word securus, which means free from danger or safety. The New Webster Dictionary defines security as the state of being secure; confidence of safety; freedom from danger or risk; that which secures or makes safe; something that secures against pecuniary loss.

Fischer and Green (1992, p.3) writes, Security implies a stable, relatively predictable environment in which an individual or group may pursue its ends without disruption or harm and without fear of such disturbance or injury.

Public security involves the protection of the lives, property and general welfare of people living in the public community. This protection is largely accomplished by the enforcement of laws by the police funded by public monies.

Private security, on the other hand, involves the protection of the lives and property of people living and working within the private sector. The primary responsibility for achieving this rests on an individual, the proprietor of a business employing people, the owner or agent of the owner of the facility where a business is conducted, or an agent of the aforementioned who specializes in providing protective services. As Post and Kingsbury (1991, p. 1) posits: In providing security for specific applications, the purpose of private security may be described as providing protection for materials, equipment, information, personnel, physical facilities and preventing influences that are undesirable, unauthorized or detrimental to the goals of the particular organization being secured.

Security could therefore be defined from the following perspectives:

69006.jpg State or feeling of safety: the state or feeling of being safe and protected

69008.jpg Freedom from worries of loss: the assurance that something of value will not be taken away ( job security)

69010.jpg Something giving assurance: something that provides a sense of protection against loss, physical attack or harm (the security of knowing that the vehicle has been thoroughly checked before embarking on a journey).

69012.jpg Safety: protection against attack from without or subversion from within (a matter of national security)

69014.jpg Precautions to maintain safety: precautions taken to keep somebody or something safe from crime, attack or danger (security measures).

69016.jpg Guards: people or an organization entrusted with the job of protecting somebody or something, especially a building or institution against crime (If you do not leave, I will call security).

69018.jpg Asset deposited to guarantee repayment: something pledged to guarantee fulfillment of an obligation, especially an asset guaranteeing repayment of a loan that becomes the property of the creditor if the loan is not repaid

69020.jpg Guarantor: somebody who pledges to fulfill somebody else’s obligation should that person fail to do so

69023.jpg Financial instrument: a tradable document that shows evidence of debt or ownership e.g. a stock certificate or bond (Source: Microsoft Encarta 2008: Encyclopedia)

Thus, anything which threatens the peace, law and order of a country is a threat to its security. Anything that threatens the life or well-being of an individual is threatening his/her security. Under such threats, neither the country nor the individual can function properly as it should be.

The value of Security

Security studies deal with those conditions, people or events which are threats to the wellbeing of a country, an area, people or properties. For example, pirates are people who attack and rob ships at sea and their activities constitute piracy which is a crime. Such people operate in the coastal waters of Nigeria and do attack ships bringing imports to Nigeria or taking exports out. They are for that reason a threat to legitimate shipping and international trade. Since the Nigerian economy depends to a large extent on external trade, piracy is a threat to the economy of the country. It is therefore a matter of great concern to the security authorities. Security studies therefore faces up to such questions as what constitutes a security threat—What factors that encourage the emergence or development of security threats? Why some places more prone to security threats than others? What could be done to mitigate insecurity or control threats?

The concept of security has been mainly confined to its habitual militaristic national security component; whereas the modern concept also takes account of the non-traditional attributes. Hence contemporary definition of security goes beyond these conventional notions of security to take in numerous other elements like climate change, food security, economy, economic security, social security, emerging diseases and mass migration, global warming and epidemics. Notable threats for instance posed by climate change in the manifestation of global warming, glacial melting, unusual precipitations and natural hazards like cyclones around the world are now common observable facts. The non-traditional security threats confronted by most of the Third World countries are more hazardous than conventional security threats (imaginary external aggression from belligerent neighbouring countries) that due to their extensive devastating effect, has become increasingly familiar with the passage of time. The developed nations though being more capable of confronting these challenges, to some extent (due to their technological advancement and firm economic base) differ from the developing states where responsiveness to these threats and disaster management is quite not worth mentioning, with meager professional and economic support to deal with their consequences. For some countries the climate change has developed into an existential threat. Maldives (like most coastal regions of Nigeria) is one of those countries where the effects of climate change are barely visible to the naked eye but the country is only 1m above sea level and 1200 of its islands are sinking 0.9 cm every year just like the Warri coastal areas of Nigeria.

Scientist are concerned that Maldives is gradually becoming extinct, which might take just the next 100 years. Pakistan has also witnessed rapid devastation of climate changes in the recent years because of rising temperature, flash flooding and shift in precipitation pattern; the effects of which are elemental to extensive regional climate changes. Pakistan has suffered the worst weather-related disasters in living memory during last few years. Flash floods in 2010 caused by heavy rains in Northern and Southern regions of that country affected at least 20 million people directly; that almost one million homes were destroyed while more than 2,000 people lost their lives. The 2011 weird floods moreover destroyed billions worth farm lands, road and communication infrastructure. Damage to amenities was estimated to exceed four billion U.S. dollars as farm land of wheat crop damages in Punjab, Sindh and Khyber Pakhtunkhwa were projected to be over five hundred million U.S. dollars.

Nigeria is not left out left out of these non-traditional security threats as coastal cities (Lagos etc.) and also in the hinterlands like Ibadan, Jos, Maiduguri, Minna, Sokoto and the rest, continue to witness sizeable effect of devastation caused by heavy flooding of these places in the recent time after heavy monsoon rains. The havoc caused by the floods in many regions has affected million of people with several deaths and many homes destroyed. Within just few months the country received heightened monsoon rains as early as April that by August of 2011 for example the city of Ibadan received well over 200 percent monsoon rains above normal. The agriculture sectors on which most of the rural populations of the Northern provinces depend were also not spared and may take years to fully recover.

In these societal setting, security threats have become multifaceted, many-sided and complicated in many forms to include:

bullet.jpg Murder—the unlawful killing of a human by another with malice, aforethought, either expressed or implied.

bullet.jpg Manslaughter—the unjustifiable, inexcusable, and intentional killing of a human without deliberation, premeditation and malice.

bullet.jpg Robbery—felonious taking of personal property, or any other article of value in the possession of another, from his or her person or immediate presence and against his or her will, accomplished by means of force or intimidation.

bullet.jpg Assault—any willful attempt or threat to inflict injury on the person of another. An assault may be committed without actually touching, striking or doing bodily harm to another.

bullet.jpg Assault and Battery—any unlawful touching of another that is without justification or excuse.

bullet.jpg Mayhem—Webster’s College Dictionary defines mayhem as: the crime of willfully inflicting an injury on another so, as to cripple or mutilate. Random or deliberate violence or damage In many jurisdictions the crime of mayhem is treated as aggravated assault.

bullet.jpg Sexual Offenses (including rape, sexual harassment and lewd behavior—rape is unlawful sexual intercourse with a female without her consent. Under some statutes, this crime may now include intercourse between two males.

bullet.jpg Sexual harassment is a type of employment of discrimination that includes sexual advances, request for sexual favours and other verbal or physical conducts of a sexual nature commonly prohibited by state law statutes. Lewd behavior relates to morally filthy or unjustifiable conduct including indecent public exposures of sensitive parts of the body.

Threats to property include:

bullet.jpg Vandalism—willful or malicious acts deliberately to damage or destroy property. Included among these acts is the drawing of graffiti. Often if a sharp instrument, such as a key or pocket knife is used to scrape initials, insignia or drawings or graffiti is written using colour markers, crayons, pencils, lipstick or spray paint. Graffiti is commonly found in rest rooms, on lockers, and on walls of elevator lobbies (particularly those of service or freight elevators), rest areas (parks) and walls immediately adjacent to public pay phones.

bullet.jpg Trespass—any unauthorized intrusion or invasion of private premises or land of another.

bullet.jpg Criminal trespass—is entering or remaining on or in any land, structure or vehicle by one who knows he or she is not authorized or privileged to do so. This includes staying on the property after permission to do so have been revoked.

bullet.jpg Burglary—entering a vehicle or building or occupied structure (or separately secured or occupied portion thereof) with intent to commit a crime therein, at a time when the premises is not open to the public and the perpetrator is not authorised or privileged to enter.

bullet.jpg Larceny—the unlawful taking and carrying away of property of another with intent to appropriate it to use incompatibly with the owner’s rights.

bullet.jpg Theft/Stealing are common names for larceny. Larceny-theft includes offenses such as shoplifting, pocket picking, car theft and other types of stealing where no violence take place.

bullet.jpg Sabotage—is the deliberate damaging or destruction of property or equipment e.g. by resistance fighters, enemy agents or disgruntled elements. This act could also be perpetrated to undermine somebody’s efforts or achievements by an opponent seeking revenge. In commerce, sabotage includes the willful and malicious destruction of employer’s property or interfering with the employer’s normal operations for instance during a labor dispute or such related acts by disgruntled ex-staff.

bullet.jpg Espionage—This is the activity of spying (as in the use of spying or spies to gather secret information) i.e. the intrusion of gathering, transmitting or losing information regarding the national defense with intent or reason to believe that the information is to be used to injure the interest of the state; or to the advantage of any hostile foreign nation. It could also be perpetrated by a business competitor engaging in industrial espionage.

bullet.jpg Arson—is crime of burning property: the burning of a building or other property for a criminal or malicious reason. This definition has been broadened by some state’s statutes and criminal codes to include starting a fire or causing an explosion with the purpose of:

a) Destroying a building or occupied structure of another; or

b) Destroying or damaging any property, whether one’s own in order to make insurance claim for such loss. Other statutes include the destruction of property by other means (e.g., an explosion).

bullet.jpg Disorderly Conduct—can be considered a threat to people or property depending on the nature of the offense.

Some other threats to both persons and property include: fire, explosions, bombs, power failure, and natural disasters like water leaks, chemical and hazardous materials, riots, strikes and civil disturbances, demonstrations, riots and civil disorders, kidnapping and hostage taking and terrorism.

69145.jpg Kidnapping—means to carry off and hold a person usually for ransom (Oxford dictionary).

In criminal law, kidnapping is the taking away or transportation of a person against that person’s will, usually to hold the person in unlawful imprisonment, a confinement without legal authority. This may be done for ransom or in furtherance of another crime, or in connection with a child custody dispute.

Of course, the logical first step in dealing with kidnapping is to prevent it in the first place as they have become rampant in Nigeria lately. This means not being time-and-place predictable, limiting the number of people who have access to your itinerary, and arranging for a security detail if necessary. That is to say, be consciously suspicious:

Assume the office or plant you are visiting has been penetrated by people adversarial to your interests, says McCann.

69162.jpg Hostage-taking: The original definition meant that this was handed over by one of two belligerent parties to the other or held in custody as refuge for the carrying out of an agreement, or as a preventive measure against certain acts of war. A hostage is therefore a person or entity which is held by a captor.

In contemporary usage however, it means someone who is seized by a criminal abductor in order to compel another party such as a relative, employer, law enforcement, or government to act, or refrain from acting, in a particular way, often under threat of serious physical harm to the hostage(s) after expiration of an ultimatum.

69164.jpg Terrorism: Terrorism is a controversial term with multiple definitions, one of which is an organised violence against a government with hostility exclusively aimed at particular targets. Another definition is the use or threatened use of violence for the purpose of creating fear in order to achieve a political, religious or ideological ambition. Under the latter meaning, the targets of terrorist acts can be anyone including civilians, government officials, military personnel or people serving the interests of governments. In the early 21st century, terrorism used to be regard as a constant threat to the entire global community before the worst disaster of its kind that assaulted the U.S. on September 11, 2001 now popularly known as 9/11 (see Chapter 15 for details).

Security awareness

Security awareness is the knowledge and attitude individuals and members of an organization have towards the protection of the tangible and intangible valuables and especially, information assets of that organization. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.

Topics covered in security awareness training include:

• The nature of sensitive material and physical assets they may come in contact with, such as trade secrets, privacy concerns and government classified information

• Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements

• Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction

• Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication

• Other computer security concerns, including malware, phishing, social engineering, etc.

• Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc.

• Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties

According to ENISA ‘Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks:’

‘The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business.’

Being Security Aware means that one understand that there is the possibility for some people to deliberately or accidentally steal, damage, or misuse the information that is stored within computer systems and through other sources of the organization. Therefore, it would be prudent to support the assets of an institution (information, physical, and personal) by preventing that from happening.

Threat management

A comprehensive treatment of the topic of threat management is beyond the scope of our present purpose. Yet, a practical explanation of threat management that outlines a commonly used process is provided here to explain some of the basic terms. The CISA Review Manual 2006 provides the following definition of risk management:

Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization (http://en.wikipedia.org/wiki/Information_security#cite_note-1).

Two things are obvious from this definition that requires some amplification. First, the process of risk management is an ongoing iterative that must be given emphasis ad infinitum since societal or the business environment is constantly changing with new threats and vulnerabilities emerging on a daily basis. Second, the choice of countermeasures (controls) used to manage threats must strike a balance between productivity, cost, effectiveness of the countermeasure and the value of the advantage to be derived.

A threat is the danger of the likelihood that something bad will happen that causes harm to the public interest, lives, property (or the loss of an advantage). Vulnerability is a weakness that could endanger or instigate harm to societal wellbeing whilst a threat is anything (man made or act of nature) that has the potential to cause damage. The likelihood that a threat will by reason of vulnerability initiate harm creates a risk. When a threat does use a vulnerability to trigger harm, it produces an unsafe impact. In the perspective of societal comfort, the impact is hostility that causes loss of cordiality, integrity and privacy to enjoy peacefulness, and possibly other losses (lost income, loss of life, loss of real property and all that.). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all threats to society. The protracted security risk is called residual risk.

A security threat assessment that is carried out by a team of security expert on specific areas or for a particular of the business may have varying team or objective over time as different requirements are assessed. Such assessment may use a subjective qualitative analysis based on informed opinion, or where reliable economic and historical consideration is necessitated, the analysis may draw on quantitative analysis.

The ISO/IEC 27002:2005 Code of practice for information security management for instance recommends the following be examined during a risk assessment:

• Security policy,

• Organization of information security,

• Asset management,

• Human resources security,

• Physical and environmental security,

• Communications and operations security,

• Access control,

• Information systems acquisition, development and maintenance,

• Information security incident management,

• Business continuity planning and management, and

• Regulatory compliance.

In broad terms the threat management process consists of:

1. Threats identification and evaluation—incorporating people, buildings, hardware, software, data (electronic, print, other), supplies.

2. Assessment of other threat aspects that incorporate Acts of nature, acts of war, accidents, sabotage (malicious acts originating from inside or outside).

3. Conduct a vulnerability assessment, and for each vulnerability, analysis of likelihood of its being exploited.

4. Evaluation of policies, procedures, standards, training, physical security, quality control, technical security.

5. Determination of impact that each threat may have on security of lives and property using qualitative or quantitative analysis.

6. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.

7. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

For any given threat, the relevant authority may choose to accept the risk based on the relative low value of the threat, the relative low frequency of occurrence and the relative low impact on the society. Otherwise, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to lessen the impact of the risk. In certain cases, the risk can be transferred to another concern through insurance cover or out-sourcing to another business. The realism of the different risks is not clear-cut that the management may choose preference to deny the risk which in itself is a potential risk.

Control measures

When Management chooses to mitigate a risk, it is done by implementing one or more of following three different kinds of control measures:

Administrative

Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines that the kernel of running the establishment and managing the community. They inform people on how the system is to be run and how day to day operations are to be conducted. Rules and regulations created by government agencies are also a sort of administrative control because they inform the institution. Some industrial sectors have laid down policies, procedures, standards and guidelines that must be followed—the Payment Card Industry (PCI) Data Security Standard required by Visa and Master Card is such an example. Other examples of administrative controls iwwnclude the corporate security policy, password policy, personnel employment and evaluation policies as well as disciplinary policies. Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are articulations of administrative controls which are of overriding importance to operational efficiency.

Logical

Logical controls (also called technical controls) apply software and statistics analysis to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. This principle requires that an individual, program or system process is not granted any more access privileges than are necessary to perform a required task. A clear example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees’ duties’ post change or they are promoted to a new position, or even transferred to another department. The access privileges required by their new assignments are frequently added onto their already existing access privileges which may no longer be necessary or appropriate.

Physical

Physical controls are measures adopted to monitor and supervise the situation of the work place and computing facilities. They are also forms of surveillance that control access to and from of within such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, CCTV cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also form of physical controls. An important physical control method that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task all by himself. For instance: an employee who submits a request for reimbursement should not also authorize such payment or print the check. An applications programmer should not also be the server administrator or the database administrator—these roles and responsibilities must be separated from one another to make for checks and balances (http://en.wikipedia.org/wiki/Information_security#cite_note-2).

Security classification of information

An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification on the Need to Know basis.

The primary consideration in information classification is to designate a senior management staff as owner of the particular information to be classified. Next, is to develop a classification policy that should adequately depict and define the different criteria classification labels for information to be assigned a particular label, and list the required security controls for each classification. Some factors that influence classification of information include how much value be assigned in information has to the organization, how old the information is and whether or not the information has become obsolete. Laws and other regulatory requirements are also important considerations in classifying information. General information classification labels used by the business (private) sector include: public, sensitive, private, confidential. While those commonly applied to government establishments are: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, and Top Secret with their non-English equivalents (see Chapter 8 and Appendix 3 for details).

Access control

Access to sensitive security facilities and information has to be restricted to unauthorized persons and adversarial interests. Similarly, computer networks, programs, and workstations, must also require permission through validation of passwords and personal identification numbers (PIN) for access. The selection of proper credentials and the verification features requires complex planning and difficult decisions that can be found in Security Professional guidelines with the security professionals to enforce compliance.

Identification is the verification of identity of someone or what something is. If a person makes the statement Hello, my name is John Doe; this is merely a claim that needs to be confirmed. Since the claim may or may not be factual call for proof before such a person claiming to be John Doe is granted access.

Authentication is the act of verifying a claim of identity as in John Doe going to a bank to carry out a transaction, which require presentation of an identity or pass card to authenticate his claims. In this direction, there are three dimensions to information that can be used for authentication: a) something you know, b) something you have, or c) something you are. Examples of something you know include such things as a PIN, a password, or your mother’s maiden name. Instances of something you have are driver’s licenses or magnetic swipe card; while Something you are, refers to biometrics; illustrated by biometrics that include palm prints, finger prints, voice and retina (eye) scan recognitions. Strong authentication requires providing information from two of the