SRA Institutes

The scope and purpose are to systematically identify, assess, and manage security risks to the institution or process under evaluation. This involves the active participation of all relevant stakeholders and aims to achieve specific outcomes that align with the institution’s overarching Risk Management (RM) strategy.

The SRA will adhere to the following defined scope and purpose:-

• System or Process Being Assessed
  The SRA will clearly outline the system or process under review, encompassing both physical systems (e.g., buildings, equipment, supplies) and digital systems (e.g., networks, software, data).

• Stakeholders Involved
  The assessment will engage all relevant stakeholders, including employees, contractors, suppliers, customers, and other affected parties. Ensuring stakeholder awareness and participation is critical to gathering comprehensive input and feedback.

• Intended Outcomes
  The SRA will have clearly defined objectives aligned with the institution’s RM strategy. Key outcomes include identifying potential security risks, evaluating the effectiveness of existing security measures, developing risk mitigation strategies, and establishing protocols for monitoring and responding to security incidents.

DRASInt Risk follows the ISO 31000 and API 780 to provide guidance on the principles and framework for effective RM, including the identification of potential risks to systems and processes, these guidelines can help institutions identify and manage risks more effectively, thereby reducing the likelihood of negative impacts on the system or process. The process of identifying potential risks to a system or process involves the following steps:

Establishing the Context. This involves defining the scope and boundaries of the system or process, as well as identifying the stakeholders and their interests. This step helps to ensure that the risk identification process is focused and relevant.

Identifying the Risks. This involves identifying all possible internal and external threats that could affect the system or process. This will be done through brainstorming sessions, surveys, interviews, historical data analysis, and other techniques.

Analysing the Risks. This involves evaluating the identified risks in terms of their likelihood and potential impact. This step helps to prioritize the risks and determine which ones require further attention.

Evaluating the Risks. This involves assessing the risks in terms of the institution's risk tolerance and appetite. This step helps to determine whether the risks are acceptable or whether additional risk mitigation measures are needed.

Treating the Risks. This involves developing and implementing risk mitigation measures to reduce the likelihood or potential impact of the identified risks. This can include risk transfer, risk avoidance, risk reduction, or risk acceptance.

Monitoring and reviewing. This involves regularly monitoring and reviewing the effectiveness of the risk mitigation measures and the overall RM  process. This step helps to identify any new risks that may arise and ensure that the RM  process remains effective and relevant.

The risk analysis will involve the following steps:

Identifying the potential consequences of each risk. This step involves determining the various ways in which the risk could impact the installation, institution or project.

Assess the likelihood of each risk. Once the potential consequences of each risk have been identified, the next step will be to assess the likelihood of each risk occurring. This step involves evaluating the probability of the risk eventuating.

Determine the impact of each risk. After assessing the likelihood of each risk, the next step will be to determine the impact of each risk. This step involves evaluating the severity of the consequences of the risk if it were to occur.

Prioritize risks. Once the potential consequences, likelihood, and impact of each risk have been determined, the next step will be to prioritize the risks. This step involves ranking the risks based on their potential consequences and likelihood, and determining which risks pose the greatest threat to the institution or project.

Develop risk treatment options. After prioritizing the risks, the next step will be to develop risk treatment options. This step involves identifying strategies and measures that can be implemented to mitigate, transfer, or accept the risks.

Review and monitor risks. Finally, it is important to review and monitor the risks on an ongoing basis. This step involves continuously assessing the effectiveness of the risk treatment options and adjusting them as necessary. It is also important to identify new risks that may emerge over time and incorporate them into the RM  framework.

Evaluating risks based on the analysis will involve identifying and prioritizing risks, assessing the level of risk tolerance, developing risk mitigation measures, implementing these measures, and continuously monitoring and reviewing the RM  process. The following steps are generally recommended by ASSA:

Identify and prioritize risks. This involves identifying potential risks and prioritizing them based on their likelihood and potential impact. The risks will be categorized based on their severity, likelihood of occurrence, and potential consequences.

Assess the level of risk tolerance. Determine the institution's level of risk tolerance based on its RM  objectives and the consequences of the identified risks. The institution should decide which risks to accept, which to transfer or mitigate, and which to avoid.

Develop risk mitigation measures. Develop strategies to reduce or eliminate risks that exceed the institution's risk tolerance. These measures may include risk avoidance, risk transfer, risk reduction, and risk acceptance.

Implement risk mitigation measures. Implement the selected risk mitigation measures and monitor their effectiveness over time. The institution will also assess the residual risk and determine if additional measures are needed.

Continuously monitor and review. Continuously monitor and review the effectiveness of risk mitigation measures, the changing risk environment, and the institution's risk tolerance level. This helps to ensure that the institution's RM  process remains effective and aligned with its objectives.

Risk Treatment

ISO 31000 and API 780 provide guidelines for RM , which includes four main steps, risk identification, risk assessment, risk treatment, and risk communication and monitoring. The steps for treating each risk, including risk avoidance, risk reduction, risk sharing, and risk retention, involve identifying potential risks, assessing their likelihood and impact, determining the appropriate risk treatment measures, communicating and monitoring the results, and reviewing the RM  plan regularly. Here are the steps employed for treating each risk, including risk avoidance, risk reduction, risk sharing, and risk retention:

Risk Identification. Identify the potential risks that could affect the project or operation, using tools such as risk registers, risk assessments, and risk analysis.

Risk Assessment. Assess the likelihood and impact of each risk identified in step one, using tools such as risk matrices or other quantitative or qualitative methods.

Risk Treatment.

Risk Avoidance. Identify risks that can be avoided by changing project scope, strategy, or approach. Avoidance means eliminating the risk by choosing not to undertake the activity or process that poses the risk.

• Risk Reduction. Identify risks that can be reduced by implementing risk mitigation measures, such as engineering controls, administrative controls, or personal protective equipment (PPE). Risk reduction means decreasing the likelihood or severity of the risk.
• Risk Sharing. Identify risks that can be shared by transferring the risk to another party, such as through insurance or contracts. Risk sharing means transferring some or all of the financial consequences of the risk to another party.
• Risk Retention. Identify risks that cannot be avoided, reduced, or shared, and decide to retain the risk. Risk retention means accepting the risk and developing a plan to manage it.
• Risk Communication and Monitoring. Communicate the results of risk assessment and treatment to stakeholders, and monitor the effectiveness of risk treatment measures. Review the RM  plan periodically to ensure that it remains effective and up to date.

Risk Communication

Communicating the results of an SRA is a crucial step in ensuring that stakeholders have the information they need to make informed decisions about RM. Effective communication of the results of an SRA is considered essential for ensuring that stakeholders are informed and able to make informed decisions about RM . By following these steps and leveraging the guidance provided by standards, institutions can develop effective risk assessment reports and recommendations that meet the needs of their stakeholders. Here are some steps to follow when communicating the results of an SRA to stakeholders:

Identification the stakeholders. Our team will identify the stakeholders who will be interested in the results of the SRA. This will include executives, managers, employees, customers, and regulatory bodies.

Determination the appropriate communication method. They will determine the appropriate method for communicating the results of the SRA. This may include a report, a presentation, or a combination of both.

Develop the risk assessment report. Develop a comprehensive risk assessment report that outlines the results of the assessment, including the identified risks, their likelihood and potential impact, and the risk mitigation measures that have been recommended. The report will also include an overview of the RM  process, as well as any limitations or assumptions that were made during the assessment.

Make recommendations. Make recommendations to stakeholders on how to manage the identified risks. These recommendations will be practical and actionable, and will be based on a thorough understanding of the institution's risk appetite and risk tolerance levels.

Tailor the report to the audience. Tailor the report to the needs of the stakeholders. This may include providing additional detail or simplifying technical information, depending on the audience's level of expertise.

Seek feedback. Seek feedback from stakeholders on the report and recommendations. This will help ensure that the report is accurate, relevant, and useful.

Monitor and review. Monitor and review the effectiveness of the RM  measures that have been implemented, and update the risk assessment report as needed.

Monitoring and reviewing the SRA is an ongoing process that requires regular updates to the SRA report to ensure that the institution remains aware of its risks and vulnerabilities and takes appropriate measures to manage them. By following the guidance provided by DRASint Risk, institutions can ensure that their SRA remains effective and aligned with their overall RM  strategy. The ongoing process of monitoring and reviewing the SRA is essential to ensure that the institution remains aware of its risks and vulnerabilities and takes appropriate measures to manage them.

The first step in monitoring and reviewing the SRA will be to establish a schedule for regular updates. DRASInt Risk recommends that the RM  process be reviewed and updated at least annually, or more frequently if there are significant changes in the institution's operating environment. API 780 recommends that the SRA be reviewed at least every three years or whenever there is a significant change in the operating environment.

The second step will be to identify any changes in the institution's operating environment that may affect its risk profile. These changes may include changes in technology, personnel, physical assets, or the threat landscape. The SRA report will be updated to reflect any changes and to reassess the likelihood and potential impact of each identified risk.

The third step will be to review and update the risk treatment plan. The risk treatment plan outlines the measures that the institution has taken or plans to take to mitigate each identified risk. The plan will be reviewed to ensure that it remains effective and that any changes to the risk profile are reflected in the plan.

The fourth step will be to ensure that the SRA remains aligned with the institution's overall RM  strategy. This involves reviewing the SRA in the context of the institution's risk appetite and risk tolerance levels and ensuring that it remains consistent with the institution's overall RM  objectives.

Finally, the SRA report will be communicated to relevant stakeholders, including senior management, the board of directors, and employees. The report should be providing a clear and concise overview of the institution's risk profile, the measures being taken to mitigate identified risks, and any changes to the risk profile or risk treatment plan.

Thus DRASInt Risk Alliance, by following the principles of ISO 31000 and API 780 will monitor and review the SRA process to ensure that the risk assessment remains up-to-date and relevant. The following are the steps involved in monitoring and reviewing the SRA process as per these guidelines:

Establishing a RM  framework. The first step in monitoring and reviewing the SRA process will be to establish a RM  framework that defines the scope, objectives, and methodology of the risk assessment. This framework will also include the roles and responsibilities of the stakeholders involved in the risk assessment process.

Conducting regular risk assessments. Risk assessments will be conducted on a regular basis will be to identify new risks or changes to existing risks. The frequency of these assessments will be determined based on the level of risk and the rate of change in the operating environment.

Documenting the risk assessment. The results of the risk assessment will be documented in a risk assessment report that outlines the identified risks, their likelihood, potential impact, and the measures that have been implemented to mitigate these risks.

Reviewing the risk assessment report. The risk assessment report will be reviewed periodically to ensure that it remains up-to-date and relevant. This review should take into consideration changes in the operating environment, new risks that have emerged, and the effectiveness of the risk mitigation measures that have been implemented.

Updating the risk assessment report. Based on the results of the review, the risk assessment report will be updated to reflect any changes or new information that has been identified. This updated report will be communicated to all stakeholders to ensure that they are aware of the latest risks and risk mitigation measures.

Implementing risk mitigation measures. The risk mitigation measures identified in the risk assessment report will be implemented in a timely manner to reduce the likelihood and impact of identified risks.

Monitoring the effectiveness of risk mitigation measures. The effectiveness of the risk mitigation measures will be monitored regularly to ensure that they continue to be effective in mitigating the identified risks. This monitoring will be documented in the risk assessment report and communicated to all stakeholders.

By following these guidelines, institutions can ensure that their SRA process remains relevant and effective in identifying and mitigating risks to their operations. There are no specific guidelines or parameters for conducting SRA in an academic institution. However, there are some general guidelines and best practices that institutions can follow to assess and manage security risks:

Identify the assets and resources that need protection, such as students, faculty, staff, facilities, equipment, and data.

Conduct a threat assessment to identify potential risks, such as theft, violence, natural disasters, cyber-attacks, and terrorism.

Evaluate the vulnerabilities of the institution, such as weak access control, inadequate training, insufficient physical security, and outdated IT systems.

Determine the likelihood and impact of each risk, and prioritize them based on their severity.

Develop a risk management plan that includes strategies for prevention, mitigation, response, and recovery.

Train and educate staff and students on security policies and procedures, and conduct regular drills and exercises to test the effectiveness of the plan.

Review and update the plan periodically to address new risks, emerging threats, and changing circumstances.

Some guidelines and which were considered by ASSA while conducting a SRA in an academic institution:

Identification of the assets. Identification of all the assets that need protection. This will include the physical assets like buildings, equipment, and the digital assets like data, software, and systems.

Defining the scope. Determining the scope of the assessment, including the areas to be assessed and the objectives of the assessment.

Identification of the threats. Identification the potential risks that the institution is exposed to, including natural disasters, physical attacks, cyber-attacks, and other types of threats.

Evaluation of the vulnerabilities. Identification of the vulnerabilities that exist within the institution that can be exploited by potential attackers.

Assessment the likelihood and impact of risks. Evaluation of the likelihood and impact of each identified risk to determine the level of risk that the institution faces.

Determining the risk level. Based on the evaluation of the risks, determine the level of risk that the institution faces, including high, medium, or low risk.

Developing risk mitigation strategies. Develop strategies to mitigate the identified risks, including preventive measures, detection and response, and recovery plans.

Implementing risk mitigation strategies. Implement the identified risk mitigation strategies, including training and awareness programs, security policies and procedures, and technical controls.

Monitoring and review. Regularly monitor and review the institution's security posture to identify new threats and vulnerabilities and assess the effectiveness of the implemented risk mitigation strategies.

Suggesting continuous improvement. Continuously improve the institution's security posture by incorporating lessons learned from previous incidents and incorporating best practices and emerging technologies.

At DRASInt Risk Alliance, we strive to provide the highest level of security and investigation services to our clients. If for any reason you are not satisfied with our services, we offer a refund on a case-by-case basis. To be eligible for a refund, you must contact us within 7 days of the completion of our services. Please note that we reserve the right to deny a refund if we determine that our services were provided as agreed upon, or if there was any misrepresentation or abuse of our services.

Return Policy

We understand that sometimes, due to unforeseen circumstances, our clients may need to cancel or reschedule our services. In such cases, we offer the following return policy:

• If you cancel or reschedule our services at least 48 hours before the scheduled start time, we will provide a full refund.
• If you cancel or reschedule our services less than 48 hours before the scheduled start time, we will charge a cancellation fee of 50% of the total service cost.
• If you cancel or reschedule our services less than 24 hours before the scheduled start time, we will charge a cancellation fee of 100% of the total service cost.

Please note that we reserve the right to deny a return or refund if we determine that the cancellation or rescheduling was made without sufficient notice, or if there was any misrepresentation or abuse of our services.

We hope this policy provides clarity and assurance to our clients that we are committed to their satisfaction and providing high-quality services.

Conducting a security risk assessment in an academic institution, as provided by DRASInt Risk Alliance, is an essential step towards improving the security posture of the institution. However, it is important to note that security risks can never be completely eliminated, and no assessment can guarantee complete security. The assessment provided by DRASInt Risk Alliance is not a guarantee of the security of the academic institution, and the client assumes all risks associated with any decisions made based on the results of the assessment. Additionally, while ISO 31000 and API 780 provide guidance on Risk Management and risk assessment processes, the assessment provided by DRASInt Risk Alliance is not a substitute for legal or other professional advice. It is the client's responsibility to determine whether the assessment is appropriate for their needs and to comply with any applicable laws and regulations.