📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - in Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account. Otherwise, see the FAQ.

Protective Security

From EverybodyWiki Bios & Wiki





Protective Security (PS) is the practice of prioritising and applying proportionate defensive security countermeasures, based upon the entity's perceived value of the assets and their risks.

Criticism[edit]

Many organisations have adopted particular security industry terms, whereas Protective Security involves the proportionate protection of valuable/critical assets and as an umbrella term it incorporates many other security terms, e.g.

Another environment in which the term Protective Security is often associated with, is with a nation's critical infrastructure protection.

However, within Military environments the term Protective Security is used in relation to the safeguarding of mission critical assets and operations, with each asset being categorised based upon the potential impact, in the event that these assets suffer a compromise of Confidentiality, Integrity and Availability (CIA), through the malicious or accidental actions of a threat actor.

Definitions[edit]

Various definitions of protective security are suggested below, summarized from different sources:

  1. "The organized system of defensive measures instituted and maintained at all levels of command with the aim of achieving and maintaining security.":[1]
  2. "Protective Security means the level of security provided by meeting the SPF mandatory requirements."[2]
  3. "The most effective way for an organisation to protect itself against national security threats is to use a combination of physical, personnel and people, and cyber security measures."[3]
  4. "The organised system of defensive measures used to counter security threats, instituted and maintained at all levels across CMTEDD to reduce the security risk to CMTEDD’s functions and official resources."[4]
  5. "Protective security is the effort to prevent espionage, sabotage, terrorism and other crimes against national security."[5]

Basic Principles[edit]

Based upon the various Protective Security standards and frameworks, the focus is around the following 10 principles[6]

  1. Business alignment. Security is a business enabler. It supports the efficient and effective delivery of services.
  2. Board-driven risk. Risk management is key and should be driven from Board level. Assessments will identify potential threats, vulnerabilities, and appropriate controls to reduce the risks to people, information, and infrastructure to an acceptable level. This process will take full account of relevant statutory obligations and protections
  3. Risk ownership. Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
  4. Proportionality. Security measures applied proportionately protect entities’ people, information, and assets in line with their assessed risks.
  5. Security culture. Attitudes and behaviours are fundamental to good security. The right security culture, proper expectations and effective training are essential.
  6. Team effort. Security is everyone’s responsibility. Developing and fostering a positive security culture is critical to security outcomes.
  7. Cycles of action. Cycles of action, evaluation and learning is evident in response to security events +/or incidents.
  8. Robust protection. Protective security should reflect the widest security objectives of the business and ensure that organization’s most sensitive assets are robustly protected.
  9. Transparency. Security must be a business enabler and should be framed to support the company’s objectives to work transparently and openly, and to deliver services efficiently and effectively, via digital services wherever appropriate.
  10. Policies & Procedures. Policies and processes will be in place for reporting, managing, and resolving any security incidents. Where systems have broken down or individuals have acted improperly, the appropriate action will be taken.

Protective Security Context[edit]

Using the military use of the term Protective Security, an effective strategy starts with a focus on the identification and categorization of an entity's assets and through an appreciation of the perceived threats, which pertain to these assets, appropriate controls can be selected and applied to help reduce the risk to within an organization's risk tolerances.

Many organizations have a focus on individual security industry terms (e.g. Cyber Security, Cyber Resilience, Information Security, etc.). Whereas, Protective Security includes all of these terms by focussing on:

  • Identify, categorise and prioritise assets, to allow effective Risk Management.

RISK = Asset Value (How important is the asset?) X Vulnerabilities (What vulnerabilities are associated with these assets?) X Threats (How might these vulnerabilities be exploited and by who?) X Impact (If the threat actors were to compromise the CIA of these assets, what might the potential fallout from it?)

It is important to remember that an asset is not just an IT system and applies to anything that is of value to an organisation and the threats can be both traditional and no traditional.

Threats Types (TESSOC)
Traditional Non-Traditional
Terrorism Other Crimes
Espionage Examples:
  • Organized Crime.
  • Theft.
  • Accidental.
  • Investigative Journalist.
  • Hacktivist.
  • Natural Disasters.
Sabotage
Subversion

An effective Protective Security strategy will incorporate multiple layers of defence, which make it progressively more difficult for a threat actor to compromise the valuable/critical assets of an entity.

Applying the Protective Security Concept[edit]

The criticality/value of an organization's assets is aligned to the importance they play in supporting or delivering a service/process which is deemed important to that business.

Military Example.[edit]

A member of the infantry needs an operational weapon system to be able to fight, or defend against an enemy.

Consequently, for the infantry unit, the weapon system would be identified as a critical/valued asset. For this system to be effective, another critical/valuable asset is the correct ammunition needed for the weapon to be able to be fired.

When considering the requirements needed to keep the weapon system operational, there are other assets that are important for the weapon system.

Additional Questions:[edit]
  • Would having spare working parts available, be something that is considered important?
  • How about any specialist tools (needed for cleaning or adjusting the weapon system)?
  • What about having enough magazines to load the ammunition into the weapon?
  • When considering what might need to be considered to keep the weapon system clean?
    • Would the weapon system cleaning kit be considered as being a valuable asset?
    • What about having the correct lubrication for the local environmental conditions (i.e. Graphite Grease for cold weather conditions)?
    • How about having the trained infantry personnel, skilled and available to operate the weapon system?

Protective Security Frameworks[edit]

The following are examples of some of the Protective Security Frameworks that have been developed by country governments:

With the numerous security domain involved with an effective Protective Security program, the successful application requires a generalist knowledge of these domain areas and the integration between the various specialist areas. This should not be confused the bodyguards' Protective Security Units, with an association with the safeguarding of a specific asset type (i.e. VIP Protection of the 'Principal' and their family).

Alignment to Industry Security Standards[edit]

When looking at the relationship between Protective Security and other Industry Security Standards (e.g. ISO/IEC 27001, PCI DSS, CIS 20, NIST CSF, etc.), these are specific catalogues of security controls developed for the protection of specific asset types.

  • For example, with PCI DSS these controls have been designed to protect any business assets (involved in (or may impact) the processing, transmission or storage of cardholder data and includes Third Party Management). These controls have been created by the PCI SSC, to mitigate the known threats for payment card operations.

Protective Security Education[edit]

Various educational courses are available, suggested below, summarized from different sources:

  • Master of Protective Security Management (MPSM)
    • This program is designed especially for those organizations dealing with critical infrastructures and key installations, such as government agencies, energy & utilities, health services, transportation, banking & finance, info & telecommunication, etc.
  • Protective Security Management BA(Hons).
    • There are many skills required of an adept and effective protective security manager, who may be responsible for the protection of high net worth individuals, teams working in hostile environments and multi-million-pound projects.
  • Protective Security and Resilience PGCert, PGDip, MSc.
    • Protective Security and Resilience is becoming an important and influential consideration in the counter terrorism, security and development disciplines, particularly in relation to crowded places and critical infrastructure protection.
  • Fundamentals of Protective Security
    • This course gives learners and introduction to the fundamentals of protective security. Using the globally recognised “Three D” principles, Deter, Detect, Delay, this course gives examples of how security measures can be implemented in various areas of a site to protect assets.
  • Protective Security Certificate™ (PSC)
    • The 53-day Protective Security training program has quickly become the standard in the industry. We actually teach you how to protect, and not just useless drills from outdated government agency manuals. Since our staff is currently working in high threat environments between classes, we can give students actual usable information regarding mitigating risks to their team and their principals. Our PSC program is comprised of 5 modules.
  • Protective Security Detail (PSD)
    • The purpose of this multi-discipline course is to provide the unit with the principles of Protective Security Detail (PSD) as it relates to their mission while deployed. It contains Live-Fire and Force-on-Force Scenarios. It allows the unit to develop and test their Standard Operating Procedures during the two weeks of instruction.
  • Spear Point Protective Security Courses
    • Our Protective Security Courses offer expert training to Law Enforcement, Tactical Teams, Military and the Private Sector to conduct protective operations for witnesses, public officials, dignitaries and other persons who require protection for their safety.

Conclusion[edit]

Not to be confused with focused branches of Protective Security (e.g. Bodyguarding), this term is focused on the proportionate defence of an entity's assets and incorporates all of the well known security industry terms.

Protective Security is often associated with only the protection of critical national infrastructures or Bodyguarding. Additionally, the security industry could learn a great deal from the Protective Security field to use this as an umbrella term, within which all the other 'Buzz terms' would reside.

Much as the national infrastructures and bodyguards have VIP assets, so do most business. Therefore, based on the military application, these principles can be successfully applied to the safeguarding of any businesses critical/important assets from unsafe actions by threat actors (both internal and external).

It is important that the security industry and business are able to distinguish between the isolated security concepts (e.g. Close Protection, Cyber Security, Network Security, Cyber Resilience, Information Security, Physical Security, etc.) which are applied to provide Protective Security countermeasures for safeguarding of valuable assets. Consequently, it is essential that these terms are fully understood and not confused with one another.

The focus of an effective Protective Security strategy is to ensure that an entity's assets are appropriately protected (through the application of security controls that are proportionate to the perceived value of the assets) from malicious or accidental actions which could adversely impact the effectiveness/productivity of the asset and, therefore, impact the entity's operations/processes.

Consequently, the Protective Security model is increasingly relevant for any business looking to simplify their security practices and to help ensure that the defensive measures that are applied remain effective and equivalent to the perceived risks.

Further Reading[edit]

References[edit]

  1. "protective security". TheFreeDictionary.com. Retrieved 2020-10-19.
  2. "Protective Security | legal definition of Protective Security by Law Insider". www.lawinsider.com. Retrieved 2020-10-19.
  3. "Protective Security Advice | CPNI | Public Website". www.cpni.gov.uk. Retrieved 2020-10-19.
  4. "PROTECTIVE SECURITY POLICY AND GOVERNANCE" (PDF). The Chief Minister, Treasury and Economic Development Directorate. Unknown parameter |url-status= ignored (help)
  5. "Protective Security". Unknown parameter |url-status= ignored (help)
  6. "Principles of Protective Security". Understanding, Assessing, and Responding to Terrorism. Online Wiley. 2017. pp. 259–278. doi:10.1002/9781119237792.ch8. ISBN 9781119237792. Search this book on

Protective Security[edit]


This article "Protective Security" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Protective Security. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Protective_Security&oldid=1691885"
License CC BY-SA 3.0
Powered by MediaWiki
Powered by Semantic MediaWiki