Module:

Business Security Management

What is the similarity between
Security & Safety

Enforcement

Compliance

2
What is the differences
between
Security & Safety

3
 SECURITY SAFETY
• Something that secures: protection • The condition of being safe from undergoing or causing
hurt, injury, or loss of life.
• That which secures or makes safe; protection; • Freedom from unacceptable danger, risk or harm
guard; defense.
• An incident is most often a result of one person • An incident is most often a result of human behavior in
or a group’s of people combination with the environment
• Causes often planned actions • Causes often unplanned actions
• Related to criminal acts • Often related to OSHA and other working
environmental acts
• Mainly malicious acts • Seldom, if ever malicious
• Mainly deliberate acts with a wish of a wanted • Mainly deliberate acts without a wish of a wanted
output/consequence of the act output and accidental incidents
• More difficult and subjective to identify hazard • Hazard easily identified
• More to External and Internal human threats • More to Internal human threats
• Threats are not always observable, tangible • Hazards are observable, tangible and proximate
and proximate
• Loss is mainly related to physical assets and • Loss is related to human injuries/death and reliability
information of industrial assets
• Reflects the state of society through its • Includes physical and environmental conditions – not
structures, economical situation, law only humans and society
abidingness and moral
• Relevant for a wide range and borderless • More relevant in the working environment 4

• Modus operandi applicable to any organization • May differ with different industry
CULTURE

Culture is equal to collective behaviors over time frame of about 5

years….Budaya = amalan perilaku berterusan dalam tempoh 5 tahun.

Influenced by home, workplace inclusive of former workplace… rumah,

keluarga, masyarakat termasuk budaya tempat kerja lama

At workplace we have to adopt and practice the culture of the company –

Ethic, values and corporate philosophy …budaya syarikat

SECURITY CULTURE
- The Malaysian Experience

Satu amalan KESELAMATAN yang positif atau negatif diamal

secara berterusan akan menjadi tabiat dan seterusnya menjadi
satu budaya keselamatan komuniti berkenaan.
LEVEL OF SECURITY AT YOUR SITE/PLANT ?

MAXIMUM / MINIMUM
?

Is the security adequate?

 CRIME FORMULA

CRIME
THREAT WEAKNESS RISK

• Crime will happen when there is an existence of Threat & Weakness

• To handle the crime, either one should eliminated
• Existence of threat may be temporary and may be changed to other threat
7
• More meaningful, to overcome the weakness rather than eliminate the threat
 INTERNAL THEFT FORMULA

NEEDS INTERNAL THEFT /

―I need to hit my monthly target‖
EMPLOYEE THEFT

JUSTIFICATION
―Everyone’s doing it‖

OPPORTUNITY
―nobody really checks‖
EVOLUTION OF SECURITY

4 1
Preemptive Reactive
Taken as a measure against
something possible * * tending to react

Being an indication of the

* serving to prepare for,
future * intervene in

Predictive Proactive
3 2

* from Dictionary.com
 4D Concept in Security
D – Deny

D – Deter

D – Delay

D – Detect
Ultimate Aim is……

PEACE OF MIND
 Introduction

Business Security Management is

critical to business and operations

Include, Information security

(INFOSEC) is evolving into Business
Security

11
 What Is Security?

“The quality or state of being

secure—to be free from danger and
crime”

Security is achieved using several

strategies simultaneously

12
 What Is Security?

Security is defined as the creation

(and maintenance) of a secure
environment in which practicable, that
its people are safe, its assets and
operations are protected from theft,
fraud, misappropriation and wilful
damage, and its sensitive and
proprietary information is kept private

13
 Security Spectrum

Physical Security
Crisis Management and Business Continuity
Fraud Management
Risk Management
Investigation
Information Security
Security Design (CPTED – Crime Prevention Through Environmental Design)

Personnel Protection (Travel advisory)

Security Technology 14
 Generic Areas of Security
Active security
Security guard
Electronic security system

Passive security
Basic mitigation measure i.e fence

Operations security
SOP, SOG etc

15
Generic Areas of Security
(continue)

Information Security (InfoSec)

Communications security
Network security
Computer Security

16
Holistic Business Security Management

17
 Business Security Management

Engagement with Stakeholders

Staffs Awareness and Training

Security Operational Procedures

Passive Security Mitigation
Active Security (SS, ESS, INFOSEC & OFSEC)

Theft
Pilferage

Sabotage
Losses to Business
and Disruptions to
Operations

Robbery
 Security Objective

Loss prevention to business

and disruptions to operations
from:-
– Theft
– Sabotage
– Robbery
– Pilferages

19
 Active Security
Physical Security – Security Guard
and Electronic Surveillance &
Monitoring System.

Office Security (OFSEC)

Information Security
(INFOSEC)
20
 Office Security (OFSEC)
Protected with alarm system

CCTV is located at the cashier area, admin office and at the point of
entry and exit

Access card to enter the office, cashier working area and admin
office

Cashier workstation equip with panic button

Cash and cheques is keep in the safe box. Mandatory for cashier
to comply with Finance SOP on cash handling procedure

Cash in transit (CIT) services to minimize risk of keeping cash in the

office after working hours

Static security (if require) to manage visitor and office security

Passive Security Mitigation

22
 Operational Security

Standard Operating Procedure (SOP)

Standard Operating Guideline (SOG)
Security Manual
Working Instruction (WI)
Operation Procedure Instruction
(OPI)

23
Security Awareness & Training

Internal

External

Online

24
Engagement with Stakeholder

PDRM
SPRM
Local Enforcement Authority
Security Association
Networking

25
 Introduction:
Information Security (INFOSEC)
InfoSec includes information security
management, computer security,
data security, and network security

Policy is central to all information

security efforts

26
 Communities of Interest
InfoSec community: protect
information assets from threats

IT community: support business

objectives by supplying appropriate
information technology

Business community: policy and

resources
27
Components of Information
Security

28
 Accountability
Authorization

Confidentiality

Authentication
Key Concepts of
Information Security
Integrity

Identification

Availability
Privacy
Key Concepts of Information
Security
Confidentiality
– Confidentiality of information ensures
that only those with sufficient privileges
may access certain information
– To protect confidentiality of information,
a number of measures may be used
including:
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end
users 30
 Key Concepts of Information
Integrity
Security

– Integrity is the quality or state of being

whole, complete, and uncorrupted

– The integrity of information is

threatened when it is exposed to
corruption, damage, destruction, or
other disruption of its authentic state

– Corruption can occur while information

is being compiled, stored, or
31
transmitted
Key Concepts of Information
Security
Availability

– Availability is making information

accessible to user access without
interference or obstruction in the
required format

– A user in this definition may be either a

person or another computer system

– Availability means availability to

authorized users 32
Key Concepts of Information
Security
Privacy

– Information is to be used only for

purposes known to the data owner

– This does not focus on freedom from

observation, but rather that information
will be used only in ways known to the
owner 33
Key Concepts of Information
Security
Identification

– Information systems possess the

characteristic of identification when they
are able to recognize individual users

– Identification and authentication are

essential to establishing the level of
access or authorization that an
individual is granted
34
Key Concepts of Information
Security
Authentication

– Authentication occurs when a control

provides proof that a user possesses
the identity that he or she claims

35
 Key Concepts of Information
Security
Authorization

– After the identity of a user is

authenticated, a process called
authorization provides assurance that
the user (whether a person or a
computer) has been specifically and
explicitly authorized by the proper
authority to access, update, or delete
the contents of an information asset
36
Key Concepts of Information
Security
Accountability

– The characteristic of accountability

exists when a control provides
assurance that every activity
undertaken can be attributed to a
named person or automated
process

37
38
What Is Management?

39
 Management is…..
A process consisting of planning,
organizing, actuating and controlling,
performed to determine and
accomplish the objectives by the use
of people and resources - George R. Terry (1953)

The process undertaken by one or

more individuals to coordinate the
activities of others to achieve results
not achievable by one individual
acting alone – Donelly(1987)
40
 Differences Between
Leadership and Management

Boss… ―GO!!!!....‖

Leader… ―Let’s go…‖

41
 Differences Between
Leadership and Management

The leader influences employees so that

they are willing to accomplish objectives
He or she is expected to lead by example
and demonstrate personal traits that instill
a desire in others to follow
Leadership provides purpose, direction,
and motivation to those that follow

42
A Manager administer the resources
of the organization by
– Creating budgets
– Authorizes expenditures
– Hires employees

A Manager can also be a leader.

43
Characteristics of Management
Two well-known approaches to
management:

– Traditional management theory using

principles of Planning, Organizing,
Staffing, Directing, and Controlling
(POSDC)

– Popular management theory categorizes

principles of management into Planning,
Organizing, Leading, and Controlling
(POLC) 44
Management Functions

45
 Planning
Planning: process that develops,
creates, and implements strategies
for the accomplishment of objectives
Three levels of planning:

– Strategic – occurs at highest level of

organization

– Tactical – focuses on production planning and

integrates organizational resources

– Operational – focuses on day-to-day

operations of local resources
46
 Planning (Continued)

In general, planning begins with the

strategic plan for the whole
organization

– To do this successfully, organization

must thoroughly define its goals and
objectives

47
 Organizing
Organizing: is a principle of management
dedicated to structuring of resources to support
the accomplishment of objectives
Organizing tasks requires determining:
– What is to be done
– In what order
– By whom
– By which methods
– When

48
 Controlling
Control:

– Monitoring progress toward completion

– Process where managers assure actual activities

conform to plan

– Making necessary adjustments to achieve the

desired objectives

Controlling function determines what must be

monitored as well using specific control tools to
gather and evaluate information 49
 Leading

Encourages the implementation of

the planning and organizing
functions, including supervising
employee behavior, performance,
attendance, and attitude

Leadership generally addresses the

direction and motivation of the
human resource 50
 What Makes a Good Leader?
Action plan for improvement of
leadership abilities
1. Knows and seeks self-improvement
2. Be technically and tactically proficient
3. Seek responsibility and take
responsibility for your actions
4. Make sound and timely decisions
5. Set the example
6. Knows [subordinates] and looks out for
their well-being
51
What Makes a Good Leader?
(Continued)
Action plan for improvement of
leadership abilities
7. Keeps subordinates informed
8. Develops a sense of responsibility in
subordinates
9. Ensures the task is understood,
supervised, and accomplished
10.Builds the team
11.Employs a team in accordance with its
capabilities 52
 Characteristics of a Leader

1. Bearing 8. Integrity
2. Courage 9. Judgment
3. Decisiveness 10. Justice
4. Dependability 11. Knowledge
5. Endurance 12. Loyalty
6. Enthusiasm 13. Tact
7. Initiative 14. Unselfishness

53
Behavioral Types of Leaders

Three basic behavioral types of leaders:

– Autocratic- action-oriented, “Do as I say”

– Democratic – action-oriented and likely to be

less efficient

– Laissez-faire – laid-back.

54
 Managerial Roles
Informational role: Collecting,
processing, and using information to
achieve the objective

Interpersonal role: Monitor,

Interacting with superiors,
subordinates, outside stakeholders,
and others

Decisional role: Selecting from

alternative approaches and resolving
conflicts, dilemmas, or challenges
55
 Solving Problems
All managers face problems that
must be solved.
Step 1: Recognize and Define the Problem

Step 2: Gather Facts and Make Assumptions

Step 3: Develop Possible Solutions

Step 4: Analyze and Compare the Possible

Solutions

Step 5: Select, Implement, and Evaluate a

Solution
56
Principles Of Information Security
Management
Information security management is part of the
organizational management team.
The extended characteristics of information
security are known as the six Ps:
– Planning
– Policy
– Programs
– Protection
– People
– Project Management 57
 INFOSEC Planning
Planning as part of InfoSec
management is an extension of the
basic planning model discussed
earlier in this chapter

Included in the InfoSec planning

model are activities necessary to
support the design, creation, and
implementation of information
security strategies
58
 InfoSec Planning Types
Several types of InfoSec plans exist:
– Incident response
– Business continuity
– Disaster recovery
– Policy
– Personnel
– Technology rollout
– Risk management and
– Security program including education,
training and awareness
59
 Programs

A security education training and

awareness (SETA)

Other programs that may emerge

include a physical security program,
complete with evacuation, fire and
safety, integrity and etc

60
 Protection

Risk management activities,

including risk assessment and
damage control, as well as protection
mechanisms, technologies, and tools

Each of these mechanisms

represents some aspect of the
management of specific controls in
the overall information security plan 61
 People
People in the organization are the most
critical link in the Business and
Information security program

It is imperative that managers

continuously recognize the crucial role

Information security personnel and the

security personnel, should be well
trained on Business Security
62
Don’t let your
trash become
someone
else’s treasure
Dispose of it in the right
way

63
SECURITY AWARENESS/EDUCATION PROGRAM