Introduction

The September 11, 2001, terrorist attacks illustrated the immense vulnerability of the United States to terrorist threats. Since then there have been considerable efforts to develop plans and methods to protect critical infrastructures and key assets. The government at all levels, private-sector organizations, and concerned citizens have begun to establish partnerships and to develop action plans. But there are many questions yet to be answered about what organizations should actually do to protect their assets and their people, while participating in national efforts to improve security. This book, Implementing Homeland Security Initiatives in Enterprise IT , provides practical steps that managers in all organizations and sectors can take to move security from the planning process into practice.

The Department of Homeland Security (DHS) began formal operations in early 2003. DHS was formed as a result of the September 11, 2001, terrorist attacks on the World Trade Center, the Pentagon, and in Pennsylvania.

Physical protection of infrastructures and assets

In February 2003, DHS published The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, which outlines national goals, objectives, and principles to help physically secure critical infrastructures. The strategy calls for cooperation between government, industry, and private citizens and is designed to protect:

• Agriculture and food

• Water

• Public health

• Emergency services

• Defense industrial base

• Telecommunications

• Energy

• Transportation

• Banking and finance

• Chemical industry and hazardous materials

Postal and shipping

National monuments and icons

Nuclear power plants

Dams

Government facilities

Commercial key assets

Chapters 1 through 5 provide business planners with an analysis of the principles and call for action from The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets . There are several points about the physical protection of computer systems and telecommunications systems that planners should address. First and foremost is that the U.S. government expects cooperation in the prevention of events that could damage the private sector's ability to function and deliver essential services^[1].

One of the key steps that the U.S. government wants to accomplish is 'Taking stock of our most critical facilities, systems, and functions and monitoring their preparedness across sectors and governmental jurisdictions^[2].'

To participate fully in this effort, the type of exposure inventory and mitigation analysis will need to be executed for all assets owned or controlled by an organization to determine if they are critical to the national infrastructure. Federal agencies are to assist state and local governments and private companies in their efforts to

Organize and conduct protection and continuity of operations planning and elevate awareness and understanding of threats and vulnerabilities to critical facilities, systems, and functions.

Identify and promote effective sector-specific risk-management policies and protection practices and methodologies.

Expand voluntary protection-related information sharing among private entities within sectors, as well as between government and private entities.

It is uncertain how government security and disaster-recovery requirements for organizations identified as holding assets considered critical to the economy and security of the United States will evolve. However, given all of the priorities and principles detailed in the strategy documents, the following steps apply:

• Conduct an exposure inventory.

• Assess mitigation and protection steps that are in place.

• Perform a risk analysis.

• Adjust mitigation and protection steps based on outcome of risk analysis.

• Maintain vigilance in monitoring and detecting incidents.

• Detect incidents and verify occurrence.

• Report to law enforcement or appropriate government agency.

• Assess damage.

• Restore systems.

• Evaluate similar systems or environments for vulnerability.

• Adjust mitigation and protection steps based on occurrence of incidents.

• Return to monitoring mode.

^[1]The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (February 2003).

^[2]Ibid.