|< Day Day Up >|| |
EO 13231, Critical Infrastructure Protection in the Information Age, which was signed by the president of the United States on October 16, 2001, was designed to protect the operation of IS essential to the critical infrastructure. The EO also established the President's Critical Infrastructure Protection Board, which is charged with recommending policies and coordinating programs for protecting IS for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems.
Any organization that electronically interacts with any government entity should be prepared to provide information to those entities about computer usage and security practices. This will help to provide ongoing assessments of threats and vulnerabilities. The organizations that are most likely to be able to provide helpful information to government entities are the following:
Technology producers that sell equipment or software to government entities
Government contractors that participate in electronic data interchange, online acquisition, e-commerce, or other forms of electronic interaction with government entities
Other government entities that participate in electronic data interchange or other forms of electronic interaction with government entities
Organizations in any of the critical industries (agriculture and food, water, public health, emergency services, defense industrial base, telecommunications, energy, transportation, banking and finance, chemical industry and hazardous materials, postal and shipping) that electronically interact with government entities or that have information regarding specific threats or vulnerabilities
Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and to make informed judgments concerning the extent of actions needed to reduce risk. As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. The U.S. General Accounting Office (GAO) has identified the basic elements of a risk-assessment process. Regardless of the types of risks being considered, all risk assessments generally include the following elements:
Identifying threats, including such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters, that could harm and, thus, adversely affect critical operations and assets
Estimating the likelihood that such threats will materialize, based on historical information and the judgment of knowledgeable individuals
Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important
Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs
Identifying cost-effective actions, including implementing new organizational policies and procedures as well as technical or physical controls, to mitigate or reduce the risk
Documenting the results and developing an action plan
The GAO has further determined that reliably assessing information security risks can be more difficult than assessing other types of risks, because the data on the likelihood and costs associated with information security risk factors is often more limited and because risk factors are constantly changing. For example:
Data is limited on risk factors, such as the likelihood of a sophisticated hacker attack and the costs of damage, loss, or disruption caused by events that exploit security weaknesses.
Some costs, such as loss of customer confidence or disclosure of sensitive information, are inherently difficult to quantify.
Although the cost of the hardware and software needed to strengthen controls may be known, it is often not possible to estimate precisely the related indirect costs, such as the possible loss of productivity that may result when new controls are implemented.
Even if precise information were available, it would soon be out of date due to fast-paced changes in technology and factors such as improvements in tools available to would-be intruders.
|< Day Day Up >|| |