Skip to main content

The Master Plan - achieving end state

Master plan is the ‘end state’ Security Manager wants to reach with respect to all desired improvements & upgrades are complete/full-filled, Security is best-in class, best-fit and “perfect” in today’s risk scenarios. The definition of "best-fit Security" is very simple, which is sufficient and logical to balance all credible risks (its a myth).



<Overview - how to get visibility of Security Master Plan>

But as we know risks are dynamic, changing with time, reshaping and threat-actors are innovating & instituting new ways to attack, therefore “Master Plan” cannot be static. Reaching perfection is a mirage, achieving or completing master plan will never appear possible. Adversary, the bad guy will always find new path to breach, one time made & achieved master plan cannot prevent such innovated risks.

So the queries arises, why we need a master plan? how to make it? How to manage master plan? The blog aimed to explain the experience of drafting, practice implementation of master plan.


Why Master Plan?

Size of facility or assets to protect do not impact the need of having Security’s master plan. Only components in the master plan varies. There are various reasons Security Manager or Security team need to have a master plan, if made wisely and sensibly the master plan acts like a guiding star. However it is not the 1st step as far as documentation for Security is concern. The opening move must be “risk assessment”, unless we don’t know, quantify, and measure the risks, we cannot plan what to do for Risk mitigation. Important part of 1st step risk assessment is Management should approve the risk list and concur regarding cost of risk getting real. Don't expect management do risk estimation, it is role of multi-skilled team to contribute with primary responsibility lies with Security.

Once risk AND cost of not managing the risks is known, master plan is to be made considering Security components status as below:

What is in hand – that can be carried forward? …..  no cost is required.

What is in hand – that need to upgrade? …… less cost is required.

What is in hand – that need to be replaced? ….. cost is required.

What is not there, but required to mitigate the risk? ….. cost is required.

Master plan plays an important role in approving the budget for Security expenditure. Work done by the Security manager in risk assessment and quantification, pays back here.

As management knows loss value due to risk getting real, approving budget for risk treatment become easy as master plan gives bigger picture. This gives assurance to Management that big picture is seen by Security Manager before approaching for Capex/Opex approvals for Security.

Please remember, one component alone cannot cover risk fully, it is multiple components coming together help reducing some part of risk. So, challenge for security manager will be to keep cost assessment ready for all components and move step by step with priority list to implement the master plan component. This priority list also enable Management and Security Manager to identify the quick-wins.


How to make Master plan?

Master plan is high level summary can be represented as chart or a list showing the following:

a). Components needed for mitigating the risk within 5 Security layers. Refer the list of each component.

b). Status of each component – this can be done by color coding, indicating as is component, which is good to carried forward in future, what is required upgrade, what is required to be added.

c). Priority scoring of each missing component or even may be for components required to be upgraded. This will comes from Risk assessment exercise. Once risk quantification is done WRT as is scenarios and upgrades required (i.e. Security components to be added), we will get in how many risk scenarios missing Security component is adding value in reducing risk rating. The existing systems which only requires upgrades, are easy rewards.

d). Integration and relation between each Security component – this is important to know which can be or cannot be implemented, dependency with other component. E.g. isolating e-Access control with video surveillance for large scale setup.

e). Integration with non-Security components. This is generally the missed part while Security plan is drafted, very common mistake of taking Security along in risk mitigation. E.g. people data from Human Resource system to Identity and access management system and returning access in & out data to be used for Safety head count or attendance.


<Sample Master Plan>

Once the successful risk assessment is completed, identify the components which are missing. Risk assessment should also give the priority of each missing component. It is important to keep it confidential document as it gives clear picture of weakness in the Security Operations. As the approvals are in place and components are implemented with time, Security Manager should review the master plan every time risk assessment is carried out.

Labels:
Location: India

Comments

  1. Omprakash ShingareMay 3, 2024 at 8:45 AM

    Excellent blog Smit... this is quite organic and informative with realistic & practical inputs. Continue generating such contents to educate this very fraternity.!!

    ReplyDelete

Post a Comment

Popular posts from this blog

The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term. The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, sho...
11 comments
Read more

Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment. 1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge. 2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk...
9 comments
Read more