Phase 1: Memo –
In this phase, you need to create 3-5 page professional memo about your assessment of what needs to be done to meet the standards based on the National Infrastructure Protection Plan. You need to make sure that the language in the memo is clear of free of errors. You also need to be creative in presenting this information to capture the most important points from the National Infrastructure Protection Plan. You need to demonstrate critical thinking to prioritize the action items based on your findings.
Theories of Security Management
To: The Chief Information Officer
From: Information Systems Security Director
Date: October 23, 2017
Subject: Meeting the Standards based on NIPP
The National Infrastructure Protection Plan (NIPP) sets out standards to enhance the protection and resiliency of critical infrastructure in the country. The Infrastructure Protection Plan must take into consideration the provisions set out by the NIPP in enhancing protection and resiliency of information systems. In the current environment, organizations are increasingly facing serious threats due to exposure of their information systems to external threats. The high dependence and interdependence of the information systems increases the vulnerability of attacks, which may result in a single point of weakness and affect the entire system. This memo is an assessment of what the Infrastructure Protection Plan should include based on the NIPP standards.
The Infrastructure Protection Plan should enhance information sharing as set out in the NIPP. One of the key goals of the NIPP is to enhance the sharing of information about security threats facing the information systems (Department of Homeland Security (DHS), 2009). Sharing of information should be accurate and timely to facilitate decision-making. Information sharing should include incidence reporting, warnings, and making alerts about possible and actual incidences. The Infrastructure Protection Plan should enhance collaborations among various partners. The strength of the NIPP largely depends on the nature of collaborations between the public and private sector (DHS, 2009). The collaboration between the public and private sector improves the understanding of security threats and vulnerabilities facing the information systems. For instance, the public and private sector may share the best practices for eliminating or managing active and potential threats. Nonetheless, both the public and private sector entities manage own risks at the organizational level.
The National Infrastructure Program must include an effective risk management program. The risk management program entails dealing with potential risks and hazards to the information systems (DHS, 2009). The organization should engage in continuous risk assessments and frequently update the risk management systems. Under the risk management, the organization should also adopt new technologies to increase its effectiveness in managing risks. The National Infrastructure Program must integrate security and resilience programs. Security and resilience should be factored during the design of systems and networks. During the development of the Infrastructure Protection Plan, the developers should apply infrastructure reliance principles (DHS, 2009). This may lead to improved effectiveness of the system’s ability to identify and deter threats. The security and resilience programs ensure that the network and systems can be able to withstand a significant number of attacks.
The Infrastructure Protection Plan should include ways of regulating access to stored information or data (DHS, 2009). The organization must develop ways of protecting access to data. This includes implementing physical restrictions to the use of passwords to restrict access. Restricting access begins with putting physical safeguards to the organization’s information systems. The next step is to implement controls against unauthorized access through remote means such as cyberattacks. The Infrastructure Protection Plan should include a risk assessment plan. The Chief Information Officer should conduct risk assessments on a regular basis in order to identify and correct system vulnerabilities. Risk assessment is also critical in identifying threats facing the organization (DHS, 2009). The threats may range from natural disasters such as damage to the physical systems in case of flooding to manmade threats such as cyberattacks. Risk assessments should bear four characteristics: they should be reproducible, defensible, complete, and documented.
The plan should include scenario identification. This entails identifying the specific risks that may affect the organization (DHS, 2009). There may be different risks facing the organization’s assets, systems, and networks. The key here is to identify the consequences of risks, system vulnerabilities, and potential threats in the environment. In conducting a risk scenario identification, it is important to map the components for which the possibility of risk would lead to the highest consequences. This can enable the security experts to learn where to implement protective measures. It is worth noting that open systems are likely to face increased risk of attacks, making screenings ineffective no matter how regular the screenings occur. The risk scenario should evaluate all the potential sources of harm (DHS, 2009). In addition, the risk scenario should include an evaluation of the conditions for evaluating consequence and vulnerabilities, for instance, applying the worst-case scenario in the possibility of terrorist attacks.
The Infrastructure Protection Plan should include a consequence assessment plan. Consequence assessment involves the analysis of the challenges the organization may face in case of an attack that cripples its networks and systems. Some attacks may be severe, affecting the organization’s critical processes. Other attacks may be limited to a few operations. The organization should mainly focus on risks that may cause a major disruption in operations if they occur, for instance, risks that may lead to a negative public image of the organization (DHS, 2009). Lastly, the plan should include a vulnerability assessment. Vulnerability assessment involves focusing on certain inherent attributes of the network and systems that may render them susceptible to attacks. System and network vulnerabilities may emerge from various sources. Some of these include lack of a firewall, use of legacy systems, and inadequate physical safeguards in the organization.
Department of Homeland Security (DHS). (2009). National Infrastructure Protection Plan. Retrieved from http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf