Protective Security

Protective Security is the practice of prioritising your defensive countermeasures, based upon the entity's perceived value of the assets and their risks. As an Umbrella term, this should not be confused other security terms, e.g.

• Physical Security.
• Cyber Security.
• Personnel Security.
• Information Security.

The term Protective Security is often used and successfully applied in the Military and Government environments for the safeguarding of their mission critical assets and operations, with each asset being categorised based upon their potential impact in the event that these assets have their Confidentiality, Integrity and Availability (CIA) compromised, through the malicious or accidental actions of a threat actor.

Definitions

Various definitions of protective security are suggested below, summarized from different sources:

1. "The organized system of defensive measures instituted and maintained at all levels of command with the aim of achieving and maintaining security."^[1]
2. "Protective Security means the level of security provided by meeting the SPF mandatory requirements."^[2]
3. "The most effective way for an organisation to protect itself against national security threats is to use a combination of physical, personnel and people, and cyber security measures."^[3]
4. "The organised system of defensive measures used to counter security threats, instituted and maintained at all levels across CMTEDD to reduce the security risk to CMTEDD’s functions and official resources."^[4]

Basic principles

The domain of Protective Security focuses on the following 10 principles^[5]:

1. Business alignment. Security is a business enabler. It supports the efficient and effective delivery of services.
2. Board-driven risk. Risk management is key and should be driven from Board level. Assessments will identify potential threats, vulnerabilities, and appropriate controls to reduce the risks to people, information, and infrastructure to an acceptable level. This process will take full account of relevant statutory obligations and protections
3. Risk ownership. Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
4. Proportionality. Security measures applied proportionately protect entities’ people, information, and assets in line with their assessed risks.
5. Security culture. Attitudes and behaviours are fundamental to good security. The right security culture, proper expectations and effective training are essential.
6. Team effort. Security is everyone’s responsibility. Developing and fostering a positive security culture is critical to security outcomes.
7. Cycles of action. Cycles of action, evaluation and learning is evident in response to security events +/or incidents.
8. Robust protection. Protective security should reflect the widest security objectives of the business and ensure that organization’s most sensitive assets are robustly protected.
9. Transparency. Security must be a business enabler and should be framed to support the company’s objectives to work transparently and openly, and to deliver services efficiently and effectively, via digital services wherever appropriate.
10. Policies & Procedures. Policies and processes will be in place for reporting, managing, and resolving any security incidents. Where systems have broken down or individuals have acted improperly, the appropriate action will be taken.

Protective security context

An effective Protective Security strategy starts with a focus on the identification and categorization of an entity's assets and through an appreciation of the perceived threats, which pertain to these assets, appropriate controls can be selected and applied to help reduce the risk to within an organization's risk tolerances.

Many organizations become focused on the individual security industry terms (e.g. Cyber Security, Cyber Resilience, Information Security, etc.) and fail to recognize the think that is common to all this 'Buzz terms':

• Identify, categorise and prioritise assets, to allow effective Risk Management.

RISK = Asset Value (How important is the asset?) X Vulnerabilities (What vulnerabilities are associated with these assets?) X Threats (How might these vulnerabilities be exploited and by who?) X Impact (If the threat actors were to compromise the CIA of these assets, what might the potential fallout from it?)

It is important to remember that an asset is not just an IT system and applies to anything that is of value to an organisation and the threats can be both traditional and no traditional.

Threats Types (TESSOC)

Traditional	Non-Traditional
Terrorism	Other Considerations
Espionage	Examples: Organized Crime. Theft. Accidental. Investigative Journalist. Hacktivist. Natural Disasters.
Sabotage
Subversion

An effective Protective Security strategy will incorporate multiple layers of defence, which make it progressively more difficult for a threat actor to compromise the valuable/critical assets of an entity.

Applying the protective security concept

The criticality/value of an organization's assets is aligned to the importance they play in supporting or delivering a service/process which is deemed important to that business.

Military Example.

A member of the infantry needs an operational weapon system to be able to fight, or defend against an enemy.

Consequently, for the infantry unit, the weapon system would be identified as a critical/valued asset. For this system to be effective, another critical/valuable asset is the correct ammunition needed for the weapon to be able to be fired.

When considering the requirements needed to keep the weapon system operational, there are other assets that are important for the weapon system.

Additional Questions:

• Would having spare working parts available, be something that is considered important?
• How about any specialist tools (needed for cleaning or adjusting the weapon system)?
• What about having enough magazines to load the ammunition into the weapon?
• When considering what might need to be considered to keep the weapon system clean?
  • Would the weapon system cleaning kit be considered as being a valuable asset?
  • What about having the correct lubrication for the local environmental conditions (i.e. Graphite Grease for cold weather conditions)?
  • How about having the trained infantry personnel, skilled and available to operate the weapon system?

Protective security frameworks

The following are examples of some of the Protective Security Frameworks that have been developed by country governments:

• Protective Security Advisor Program - United States.
• Protective Security Management Systems (PSeMS) - United Kingdom.
• The Protective Security Policy Framework - Australia.
• The Protective Security Requirements (PSR) - New Zealand.

With the numerous security domain involved with an effective Protective Security program, the successful application requires a generalist knowledge of these domain areas and the integration between the various specialist areas. This should not be confused the bodyguards' Protective Security Units, with an association with the safeguarding of a specific asset type (i.e. VIP Protection of the 'Principal' and their family).

Alignment to industry security standards

When looking at the relationship between Protective Security and other Industry Security Standards (e.g. ISO/IEC 27001, PCI DSS, CIS 20, NIST CSF, etc.), these are specific catalogues of security controls developed for the protection of specific asset types.

• For example, with PCI DSS these controls have been designed to protect any business assets (involved in (or may impact) the processing, transmission or storage of cardholder data and includes Third Party Management). These controls have been created by the PCI SSC, to mitigate the known threats for payment card operations.

Protective security education

Various educational courses are available, suggested below, summarized from different sources:

• Master of Protective Security Management (MPSM)
  • This program is designed especially for those organizations dealing with critical infrastructures and key installations, such as government agencies, energy & utilities, health services, transportation, banking & finance, info & telecommunication, etc.
• Protective Security Management BA(Hons).
  • There are many skills required of an adept and effective protective security manager, who may be responsible for the protection of high net worth individuals, teams working in hostile environments and multi-million-pound projects.
• Protective Security and Resilience PGCert, PGDip, MSc.
  • Protective Security and Resilience is becoming an important and influential consideration in the counter terrorism, security and development disciplines, particularly in relation to crowded places and critical infrastructure protection.
• Fundamentals of Protective Security
  • This course gives learners and introduction to the fundamentals of protective security. Using the globally recognised “Three D” principles, Deter, Detect, Delay, this course gives examples of how security measures can be implemented in various areas of a site to protect assets.
• Protective Security Detail (PSD)
  • The purpose of this multi-discipline course is to provide the unit with the principles of Protective Security Detail (PSD) as it relates to their mission while deployed. It contains Live-Fire and Force-on-Force Scenarios. It allows the unit to develop and test their Standard Operating Procedures during the two weeks of instruction.
• Spear Point Protective Security Courses
  • Our Protective Security Courses offer expert training to Law Enforcement, Tactical Teams, Military and the Private Sector to conduct protective operations for witnesses, public officials, dignitaries and other persons who require protection for their safety.

Conclusion

Not to be confused with focused branches of Protective Security (e.g. Bodyguarding), this term is focused on the proportionate defence of an entity's assets and incorporates all of the well known security industry terms.

Protective Security is often associated with only the protection of critical national infrastructures or Bodyguarding. Additionally, the security industry could learn a great deal from the Protective Security field to use this as an umbrella term, within which all the other 'Buzz terms' would reside.

Much as the national infrastructures and bodyguards have VIP assets, so do most business. Therefore, based on the military application, these principles can be successfully applied to the safeguarding of any businesses critical/important assets from unsafe actions by threat actors (both internal and external).

It is important that the security industry and business are able to distinguish between the isolated security concepts (e.g. Close Protection, Cyber Security, Network Security, Cyber Resilience, Information Security, Physical Security, etc.) which are applied to provide Protective Security countermeasures for safeguarding of valuable assets. Consequently, it is essential that these terms are fully understood and not confused with one another.

The focus of an effective Protective Security strategy is to ensure that an entity's assets are appropriately protected (through the application of security controls that are proportionate to the perceived value of the assets) from malicious or accidental actions which could adversely impact the effectiveness/productivity of the asset and, therefore, impact the entity's operations/processes.

Consequently, the Protective Security model is increasingly relevant for any business looking to simplify their security practices and to help ensure that the defensive measures that are applied remain effective and equivalent to the perceived risks.

References

External links

• Protective security - definition of protective security by The Free Dictionary
• Protective Security Advice | CPNI | Public Website
• Protective Security Considerations | Public Website - CPNI

This article "Protective Security" is from Wikipedia. The list of its authors can be seen in its historical. Articles taken from Draft Namespace on Wikipedia could be accessed on Wikipedia's Draft Namespace. Wikipedia:Personal security practices