A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
DHS National Infrastructure Protection Plan
April 7, 2010 at 12:17 pm #96950
The 2009 National Infrastructure Protection Plan
National Infrastructure Protection Plan 2009The National Infrastructure Protection Plan provides the unifying structure for the integration of a wide range of efforts for the enhanced protection and resiliency of the nation’s critical infrastructure and key resources (CIKR) into a single national program.
The overarching goal of the NIPP is to build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our nation’s CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.
The 2009 NIPP replaces the 2006 version and reflects changes and updates to program elements and concepts. It captures the evolution and maturation of the processes and programs first outlined in 2006 without changing the underlying policies. The revised NIPP integrates the concepts of resiliency and protection, and broadens the focus of NIPP-related programs and activities to an all-hazards environment.
http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf (PDF, 188 pages – 4.5 MB)
April 7, 2010 at 12:32 pm #96955
Government Accounting Office Study
CRITICAL INFRASTRUCTURE PROTECTION
Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience
Why GAO did this study
According to the Department of Homeland Security (DHS), there are thousands of facilities in the United States that if destroyed by a disaster could cause casualties, economic losses, or disruptions to national security. The Homeland Security Act of 2002 gave DHS responsibility for leading and coordinating the nation’s effort to protect critical infrastructure and key resources (CIKR). Homeland Security Presidential Directive 7 (HSPD-7) defined responsibilities for DHS and certain federal agencies—known as sector-specific agencies (SSAs)—that represent 18 industry sectors, such as energy. In accordance with the Homeland Security Act and HSPD-7, DHS issued the National Infrastructure Protection Plan (NIPP) in June 2006 to provide the approach for integrating the nation’s CIKR. GAO was asked to study DHS’s January 2009 revisions to the NIPP in light of a debate over whether DHS has emphasized protection—to deter threats, mitigate vulnerabilities, or minimize the consequences of disasters—rather than resilience—to resist, absorb, or successfully adapt, respond to, or recover from disasters. This report discusses (1) how the 2009 NIPP changed compared to the 2006 NIPP and (2) how DHS and SSAs addressed resiliency as part of their planning efforts. GAO compared the 2006 and 2009 NIPPs, analyzed documents, including NIPP Implementation Guides and sector- specific plans, and interviewed DHS and SSA officials from all 18 sectors about their process to identify potential revisions to the NIPP and address resiliency.
What GAO Found:
Compared to the 2006 NIPP, DHS’s 2009 update to the NIPP incorporated various changes, including a greater emphasis on regional CIKR protection planning and updates to DHS’s overall risk management framework, such as instructions for sectors to develop metrics to gauge how well programs reduced the risk to their sector. For example, in the 2006 NIPP, DHS encouraged stakeholders to address CIKR across sectors within and across geographic regions; by contrast, the 2009 NIPP called for regional coordination through the formation of a consortium of representatives from multiple regional organizations. DHS also enhanced its discussion of risk management methodologies in the 2009 NIPP. The 2006 NIPP listed the minimum requirements for conducting risk analyses, while the 2009 NIPP includes the use of a common risk assessment approach, including the core criteria for these analyses to allow the comparison of risk across sectors. DHS officials said that the changes highlighted in the 2009 NIPP were the result of knowledge gained and issues raised during discussions with partners and outside organizations like GAO. DHS has also issued guidance for SSAs to consider revisions to the NIPP when updating their sector-specific plans (SSPs). Fourteen of 18 SSA representatives that responded to our query said they used a process similar to DHS’s to incorporate NIPP changes into their SSPs. They reported that they intend to discuss the expectations for the SSP with DHS, draft the SSP based on their knowledge of their sectors, and obtain input and feedback from stakeholders.
DHS increased its emphasis on resiliency in the 2009 NIPP by discussing it with the same level of importance as protection. While the 2009 NIPP uses much of the same language as the 2006 NIPP to describe resiliency, the 2006 NIPP primarily treated resiliency as a subset of protection while the 2009 NIPP generally referred to resiliency alongside protection. For example, while the Managing Risk chapter of the 2006 NIPP has a section entitled “Characteristics of Effective Protection Programs,” the same chapter in the 2009 NIPP has a section entitled, “Characteristics of Effective Protection Programs and Resiliency Strategies.” DHS officials stated that these changes are not a major shift in policy; rather they are intended to raise awareness about resiliency as it applies within individual sectors. Furthermore, they stated that there is a greater emphasis on resilience in the 2009 NIPP to encourage more sector and cross-sector activities to address a broader spectrum of risks, such as cyber security. DHS officials also used guidance to encourage SSAs to devote more attention to resiliency. For example, in the 2009 guidance, SSAs are advised that in sectors where infrastructure resiliency is as or more important than physical security, they should focus on describing the resiliency measures and strategies being used by the sector. The 2010 updates to the SSPs are due to be released by DHS in mid-2010 and all sector representatives who responded to our questions said they will address the issue as is appropriate for their sectors. In commenting on a draft of this report, DHS reiterated its process for updating the NIPP and its views on resiliency.
April 7, 2010 at 12:37 pm #96953
You must be logged in to reply to this topic.