120 likes | 274 Views
Partnership for Secure National Infrastructures. Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation. Differentiating CIP, CII, and Cybersecurity. Critical Infrastructures. Non-essential IT systems. Cybersecurity.
E N D
Partnership for Secure National Infrastructures Jerry Cochran Principal Security Strategist Trustworthy Computing Group Microsoft Corporation
Differentiating CIP, CII, and Cybersecurity Critical Infrastructures Non-essential IT systems Cybersecurity Those practices and procedures that enable the secure use and operation of cyber tools and technologies Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors Energy Transportation IT/Telecom Enterprises Consumers Govt Services Banking/Finance
CIP Policy Drivers and Influences War Terrorism Cyber Attacks Convergence Globalization Natural Disasters Laws and Regulations Directives/Policies Emergency Response Plans National Strategies
Keys to Resilient Infrastructures • Define Goals and Roles • Identify and Prioritize Critical Functions • Continuously Assess and Manage Risks • Build Operational Response Frameworks • Create Public-Private Partnerships • Build Security/Resiliency into Operations • Government and infrastructure owners/operators: • Collaboratively pursue these core enablers of resiliency and infrastructure security
Roles for CIP Engagement Incidences, emerging issues, & changing conditions : constantly update risk assessment
Identify and Prioritize Critical Functions • Establish an Open Dialog • Understand the critical functions, infrastructure elements, and key resources necessary for: • delivering essential services, • maintaining the orderly operations of the economy, and • helping to ensure public safety. Critical Function Infrastructure Element Key Resource Supply Chain Supply Chain Supply Chain Critical Function Infrastructure Element Key Resource Critical Function Supply Chain Supply Chain Supply Chain Infrastructure Element Key Resource Understand Interdependencies Supply Chain Supply Chain Supply Chain Supply Chain
Continuous Risk Management Protection is the Continuous Application of Risk Management • Evaluate Program Effectiveness • Leverage Findings to Improve Risk Management • Identify Key Functions • Assess Risks • Evaluate Consequences Incidences, emerging issues, & changing conditions : constantly update risk assessment • Define Functional Requirements • Evaluate Proposed Controls • Estimate Risk Reduction/Cost Benefit • Select Mitigation Strategy • Seek Holistic Approach. • Organize by Control Effectiveness • Implement Defense-in-Depth
Build Operational Response Frameworks • Goal: Improve Operational Coordination • Public- and private-sector organizations alike can benefit from developing joint plans for managing emergencies, including recovering critical functions in the event of significant incidents • Unified Concept of Operations for Public and Private Sector CERTs • Emergency response plans can mitigate damage and promote resiliency. • Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented. • Testing and exercising emergency response plans promotes trust, understanding, and greater operational coordination among public- and private-sector organizations. • Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
Create Public/Private Partnerships • Voluntary public-private partnerships • Promote trusted relationships needed for information sharing and collaborating on difficult problems • Leverage the unique skills of government and private sector organizations • Provide the flexibility needed to collaboratively address today’s dynamic threat environment • Provide a Value Proposition to the private sector Collaboration is key to protecting critical infrastructure
Continuous Improvement: Build Resiliency/Security into Infrastructures Critical Functions (Global, National, Local) Security is a continuous process Building security and resiliency into infrastructure operations Infrastructure Operations Security Controls Management Technical Operational Fosters increased security and resiliency for the critical functions that support safety, security, and commerce at all levels