The ESRM Life Cycle In Action Simulation Exercise September 23, 2018

Transcription

1 The ESRM Life Cycle In Action Simulation Exercise September 23, 2018

2 Simulation Agenda Simulation Overview The ESRM Cycle Team Roles and Responsibilities Exercise Phase 1: Understanding the Business Exercise Phase 2: Developing the Program Exercise Phase 3: Presenting a Plan

3 Simulation Overview Goal Practice the business-centered approach of developing a security program and plan in partnership with executives and business owners in your organization. Method A role-playing based simulation where participants will: 1. Learn about their new company and understand the needs of their executive partners. 2. Develop one piece of a security program using an ESRM approach. 3. Present the developed security risk mitigation plan to an executive security council.

4 The ESRM Cycle Identify and Prioritize Assets Identifying, understanding, and prioritizing the assets of an organization that need protection. Identify and Prioritize Risks Identifying, understanding, and prioritizing the security threats the enterprise and its assets face both existing and emerging and, critically, the risks associated with those threats. Mitigate Prioritized Risks Taking the necessary, appropriate, and realistic steps to protect against the most serious security threats and risks Improve and Advance Conducting incident monitoring, incident response, and post-incident review learning from both successes and failures and applying the lessons learned to advance the program. See handout - ESRM Background - ESRM Cycle for details

5 Team Roles and Responsibilities CanadaGreen Solar s CEO has decided to hire a security team because of some recent troubling stories in the news. A colleague of his was telling him about a new ESRM program at his firm and he thought it was a good idea. He wants the new security team to build an ESRM program. Newly Hired Team: CSO (Chief Security Officer) VP Information Technology Security (CISO) Senior Director of Security Operational Technology Security VP Asset Security (Access / Monitoring / Response) VP Security Compliance (Investigations / Threat Management / Field Ops Security) VP Organizational Resilience (Dr/Bcm/Crisis) VP Security Program Management See handout - Company Background - Security Dept Job Descriptions for details

6 Exercise Phase 1 Understanding The Business

7 Understanding Your Business 1. Learn About Your Company 2. Learn About Your Internal Business Partners 3. Recommend Your Approach Handouts For This Phase Exercise The ESRM Checklist (Phase 1 Section) Company Background - Company Overview Company Background - Executive Bios Company Background - Facilities ESRM Background Security Council White Paper ESRM Background - Security Governance By Discipline ESRM Background - Skills for ESRM Personnel by Discipline Exercise - Sample Security Policy Exercise - Sample Security Council Charter Phase 1 Deliverables 1. Recommended Security Governance Approach 2. Draft Security Policy 3. Recommended Security Organization 1 Hour

8 Exercise Phase 2 Develop a Program

9 Developing a Program 1. Develop a Plan to Mitigate a Risk Using Design Thinking Methods Get Your Risk Scenario From a Facilitator Handouts For This Phase Exercise The ESRM Checklist (Phase 2 Section) Exercise - Blank Proposal Template Exercise - How To Do Executive Presentations Phase 2 Deliverables 1. Recommended Security Risk Mitigation Plan 2. Presentation for Executives 1 Hour

10 Exercise Phase 3 Present the Program

11

12 Present the Program 1. Volunteer to Present Your Team s Solution to the Security Council! Our security council will listen to proposed ideas, ask questions, offer comments, and determine whether the solution is a good fit for the risk posture of CanadaGreen. 1 Hour