3.4 Applying the national strategy at the organizational level

There are several key questions that managers need to address when considering how to address homeland security issues. First, is any part of their organizations a component of the critical national infrastructure? Second, which parts of the critical national infrastructure are their organizations most dependent on? Third, are the organizations' facilities located near facilities or structures that are components of the critical national infrastructure?

These questions can be answered through a structured threat-assessment process. The updated risk assessments can help organizations to develop a business case for action to justify increased security investments. Risk assessments need to cover all operational aspects of an organization, including IT support.

If managers do conclude that their organizations or parts of them are components of the critical national infrastructure, then, depending on the sector that the unit is a component of, there are several steps that should be taken to apply the national strategy. These are covered on a sector-by-sector basis in Chapter 5.

Most organizations will likely find that they are dependent on components of the critical national infrastructure. It is difficult not to be dependent on telecommunications, banking, and public utilities. Thus, if there were to be a major disruption in any those sectors because of a terrorist attack, the organization would be impacted in some way. These disruptions can, in part, be mitigated or minimized through the implementation of a DRP and a business-continuity plan.

If managers conclude that their organizations' facilities are located near facilities or structures that are components of the critical national infrastructure, then it is likely that a major terrorist attack on those components would impact operations. The best illustration of this is that when the WTC was attacked on September 11, 2001, over 20 buildings in the area sustained damage, and many organizations were forced to relocate temporarily or permanently. These disruptions can also, in part, be mitigated or minimized through the implementation of a DRP and a business-continuity plan.