12.2 The homeland security road map for IT

The way organizations approach implementing homeland security initiatives in enterprise IT varies by both the size of the organization and the industry sector in which the organization operates. As a guide for managers responsible for implementation, the action checklists from each chapter have been compiled into the following three lists (see Tables 12.1-12.3):

• The Enterprise Action Checklist shows those action items that are of enterprisewide concern. The IT department or function will need to participate in executing most of those actions items but will work in conjunction with many other departments or corporate officers. The departments involved are indicated for each action item. When the term security is used, it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.

• The IT Management Action Checklist shows those action items that are of primary concern or are the primary responsibility of the IT department. It is probable that the IT department will take the lead role in the activity, but when appropriate, the involvement of other departments is indicated. When the term security is used it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.

• The IT Security Action Checklist shows those action items that are of primary concern or are the primary responsibility of the IT security unit. It is probable that the IT security unit will take the lead role in the activity, but, when appropriate, the involvement of other departments is indicated. When the term security is used, it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.

  Table 12.1: Enterprise Action Checklist

  Action Item	Chapter and Item	Departments Involved
  Determine if the organization has taken a position on homeland security.	Chapter 1-1	CEO, IT, legal counsel, business units
  Evaluate what actions the organization needs to take if the threat level is raised by the government.	Chapter 1-5	CEO, security, IT, business units
  Determine the status of implementation of DRPs and what related training has been achieved.	Chapter 2-5	CEO, HR, IT, disaster recovery, contingency management, business units
  Determine the status of implementation of plans for the management of data privacy and what related training has been achieved.	Chapter 2-8	CEO, HR, business units, privacy management
  Conduct a structured threat assessment to determine if the organization is a component of the critical national infrastructure.	Chapter 3-1	CEO, security, IT, legal counsel, business units
  Conduct a structured threat assessment to determine the level of dependency on components of the critical national infrastructure.	Chapter 3-2	CEO, security, IT, business units
  Conduct a structured threat assessment to determine the proximity of the organization's facilities to facilities or structures that are components of the critical national infrastructure.	Chapter 3-3	CEO, security, IT, business units
  Initiate a security improvement process.	Chapter 3-4	CEO, HR, security, business units
  Develop procedures for reporting computer-related incidents.	Chapter 4-2	CEO, IT, legal counsel
  Assign staff responsibilities for reporting computer-related incidents.	Chapter 4-3	CEO, IT, legal counsel
  Evaluate security initiatives for sectors in which the organization has operations.	Chapter 5-1	CEO, IT, security, business units
  Assess organizational plans to meet security needs.	Chapter 5-2	CEO, IT, security, business units
  Evaluate the methods by which the organization communicates and conducts business transactions with suppliers.	Chapter 6-1	CFO, IT, business units
  Determine the vulnerabilities in the systems used to work with suppliers and develop an action plan to improve security in those systems.	Chapter 6-2	CFO, IT, business units, security
  Evaluate the methods by which the organization communicates and conducts business transactions with customers.	Chapter 6-3	CFO, IT, business units
  Determine the vulnerabilities in the systems used to work with customers and develop an action plan to improve security in those systems.	Chapter 6-4	CFO, IT, business units, security
  Evaluate the methods by which the organization communicates and conducts business transactions with service providers.	Chapter 6-5	CFO, IT, business units
  Determine the vulnerabilities in the systems used to work with service providers and develop an action plan to improve security in those systems.	Chapter 6-6	CFO, IT, business units, security
  Determine if the organization's view of the health of cyberspace is influenced by political, economic, or business issues that could impact IT policies and computer-incident response plans.	Chapter 7-5	CFO, IT, business units, security
  Determine if DRPs are up-to-date and if any changes or updates need to be made to the plans.	Chapter 7-7	IT, disaster recovery, contingency management, business units
  Determine if there are opportunities to work with local lawenforcement agencies on joint training exercises.	Chapter 8-2	CEO, PR, disaster recovery, business units
  Evaluate the physical security of computer and network facilities to determine if it meets minimum standards or customary standards for the industry sector; modify physical security procedures as necessary.	Chapter 8-9	IT, business units, security
  Determine if the organization wants to make recommendations for priorities in cybersecurity research.	Chapter 8-10	CEO, IT, legal counsel
  Determine if the organization can or must provide direct assistance to the federal government in assessing threats and vulnerabilities.	Chapter 10-1	IT, business units, security, legal counsel
  If the organization can or needs to work with the federal government on assessing threats and vulnerabilities, develop a plan to accomplish that work.	Chapter 10-2	IT, business units, security,
  Determine if the organization needs to address the goals and objectives regarding trusted individuals using government computer systems.	Chapter 10-3	IT, business units, security, legal counsel
  If the organization needs to work on a trusted individual's program, develop a plan to implement the program, including the use of agreements to safeguard information and warning banners on computer systems.	Chapter 10-4	IT, business units, security, legal counsel
  Determine if the organization can or must provide direct assistance to the government in securing outsourcing or procurement operations.	Chapter 10-7	IT, business units, security, legal counsel
  If the organization can or needs to work with the government on securing outsourcing or procurement operations, develop a plan to accomplish that work.	Chapter 10-8	IT, business units, security
  Determine if the organization can or must provide direct or indirect assistance to the state government in assessing threats and vulnerabilities.	Chapter 10-9	IT, business units, security, legal counsel
  If the organization can or needs to work with the state government on assessing threats and vulnerabilities, develop a plan to accomplish that work.	Chapter 10-10	IT, business units, security
  Determine if the organization can or must provide direct or indirect assistance to the local government in assessing threats and vulnerabilities.	Chapter 10-11	IT, business units, security, legal counsel
  If the organization can or needs to work with the local government on assessing threats and vulnerabilities, develop a plan to accomplish that work.	Chapter 10-12	IT, business units, security
  Determine if the organization has operations in any country that is a signatory of the CoE Convention on Cybercrime and analyze how that may impact IT policies, procedures, and operations.	Chapter 11-4	CEO, IT, legal counsel, business units
  Devise plans to influence countries in which the organization has operations and that are not signatories of the CoE Convention on Cybercrime to become signatories.	Chapter 11-5	CEO, IT, legal counsel, business units

  Table 12.2: IT Management Action Checklist

  Action Item	Chapter and Item	Departments Involved
  Evaluate how the organization's position on homeland security impacts IT.	Chapter 1-2	CEO, IT, legal counsel
  Assess how the USA Patriot Act impacts IT support requirements.	Chapter 1-3	CEO, IT, legal counsel
  Assess if the formation of DHS impacts IT support requirements.	Chapter 1-4	CEO, IT, legal counsel
  Evaluate what actions the IT department needs to take if the threat level is raised by the government.	Chapter 1-6	CEO, IT, legal counsel, business units
  Evaluate changes in IT management practices that were made as a result of terrorist attacks of September 11, 2001, to determine if new procedures are still adequate to address current security conditions or needs.	Chapter 2-1	IT, business units
  Evaluate changes in IT management practices that were made as a result of the establishment of DHS to determine if new procedures are still adequate to address current security conditions or needs.	Chapter 2-2	IT, business units
  Assess the level of training within the IT department to determine if the skill base necessary to evaluate, test, maintain, and improve policies, plans, and procedures exists.	Chapter 2-3	IT, HR
  Evaluate IT staffing to determine if the staffing level and staffing mix are adequate to address current needs.	Chapter 2-4	IT, HR, business units
  Assess the level of training of IT users to determine what securityrelated training should be implemented.	Chapter 2-9	IT, HR, business units
  Establish an internal organization process to monitor technology development, standards for technology use, and technologies that have been tested and proven effective.	Chapter 3-5	IT, security, business units
  Establish policies for reporting computer-related incidents.	Chapter 4-1	CEO, IT, legal counsel
  Determine how IT security staff are trained and develop a program to improve training.	Chapter 8-1	IT, HR
  Determine if the technology used by the organization meets the Common Criteria standards and make plans to migrate away from technologies that do not meet the standards.	Chapter 8-5	IT, business units
  Determine if the technology acquisition process used by the organization requires that products meet Common Criteria standards and modify procedures as necessary.	Chapter 8-6	IT, purchasing, business units
  Evaluate the configuration management processes and procedures of the organizations to determine if they provide sufficient levels of control to improve security; modify procedures as necessary.	Chapter 8-7	IT, business units
  Evaluate the process and procedures for installing patches to eliminate vulnerabilities; modify procedures as necessary.	Chapter 8-8	IT
  Determine if the organization needs to address the goals and objectives regarding wireless communications with government computer systems.	Chapter 10-5	CEO, IT, security, business units
  Determine if computers or networks that are owned or operated by the organization located in other countries are or have been under attack.	Chapter 11-1	CEO, IT, security, business units
  If computers or networks that are owned or operated by the organization located in other countries are or have been under attack, develop a reporting mechanism to alert authorities in the United States of these occurrences.	Chapter 11-2	CEO, IT, security, business units

  Table 12.3: IT Security Action Checklist

  Action Item	Chapter and Item	Departments Involved
  Determine the status of implementation of IS security plans and what related training has been achieved.	Chapter 2-6	IT security, business units
  Determine the status of implementation of computer-incident response plans and what related training has been achieved.	Chapter 2-7	IT security, business units, HR, security
  Assign staff responsibilities for participating InfraGard or professional organizations.	Chapter 4-4	IT security
  Evaluate IT solutions that address security needs or support new security requirements.	Chapter 5-3	IT security, business units
  Compare IT solutions that address security needs or support new security requirements for effectiveness, usability, and return on investment.	Chapter 5-4	IT security, business units
  Select and acquire IT products or services.	Chapter 5-5	IT security, business units
  Deploy and test applicable IT solutions.	Chapter 5-6	IT security, business units
  Monitor performance of IT solutions and tune, enhance, or migrate product sets.	Chapter 5-7	IT security, business units
  Evaluate the organization's ability to participate in and benefit from a national cyberincident response system.	Chapter 7-1	IT security, business units, security
  Develop processes and procedures to utilize information provided by the national cyberincident response system.	Chapter 7-2	IT security, business units, security
  Determine if the organization is using reports, analyses, standards, and recommendations provided by researching agencies such as the NSA and the NIST to improve IS security.	Chapter 7-3	IT security, business units
  Evaluate how security standards and procedures are set in the organization.	Chapter 7-4	IT security, business units, security
  Evaluate the sources of cybersecurity information that the organization has, including vendors, service providers, and other organizations that can be used to maintain security during threat situations.	Chapter 7-6	IT security, business units, security
  Determine how the organization obtains information on vulnerabilities and develop steps to obtain more timely information on vulnerabilities.	Chapter 8-3	IT security, business units, security
  Determine if the organization actually uses information on vulnerabilities to keep security methods updated, and make changes in the approach if necessary.	Chapter 8-4	IT security, business units
  Develop and launch a technology-focused cybersecurity training program for various types of employees, including executives, managers, supervisors, project leaders, and end users in all capacities.	Chapter 9-1	IT security, HR, business units
  Develop and launch an information security-focused training program for different types of employees based on their levels and areas of responsibilities.	Chapter 9-2	IT security, HR, business units
  Evaluate the need for certified computer-security professionals in the organization, and determine a course of action to increase the level of certification of in-house staff.	Chapter 9-3	IT security, HR, business units
  If the organization needs to work on securing wireless communications, develop a security plan to implement the plan.	Chapter 10-6	IT security, business units
  Develop a policy and procedure to assist in attack attribution and response, and modify the computer-incident response plan accordingly.	Chapter 11-3	IT security, business units, legal counsel