This is Part 1 of the two-part series on protection of the critical national infrastructure.
By John Vacca
Because information and computer systems are critical assets to national security, computer and information security is an integral element of sound critical national infrastructure management (see Computer and Information Security Handbook). Cybersecurity threats exploit the increased complexity of network connectivity of critical national infrastructure systems, thus, placing a nation’s security, economy, public safety and health at risk.
Ultimately, the responsibility for the success of the critical national infrastructure lies with its management (see Managing Information Security). The goal of an effective management system is to enhance the security and resilience of the critical national infrastructure, and to maintain a cybersecurity environment that encourages efficiency, innovation, and economic prosperity, while promoting safety, security, business confidentiality, privacy, and civil liberties. To achieve this, a set of industry standards and best practices, with the aim of helping organizations manage cybersecurity risks, is in the process of being developed in the United States. This is part of the ongoing establishment of the nation’s cybersecurity program, and its aim to achieve overall program goals, objectives, and priorities, in support of the mission of the critical national infrastructure. The management of the critical national infrastructure, is also responsible for ensuring that the required resources are applied to the program. Further, it must ensure that the program is run in a cost-effective way that is based on business needs without placing additional regulatory requirements on businesses.
Most IT products and resources available make a claim about the functionality and/or network and system security provided (see Network and System Security), and focuses on using business drivers to guide cybersecurity activities. Especially when protecting sensitive data, the nation requires a minimum level of assurance that a product’s stated security claim is valid. Preferably, the product must help meet the following needs: A set of cybersecurity activities, outcomes, and informative references that are common across critical national infrastructure sectors, thus providing the detailed guidance for developing individual organizational profiles to help the nation align its cybersecurity activities with its business requirements, risk tolerances, and resources. Further, said product must provide a mechanism for the nation to view and understand the characteristics of managing cybersecurity risk. There are also restrictions regarding certain types of technology, such as cryptography, which require the nation to use only tested and validated products.
The critical national infrastructure initiative should also include a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities (see Cyber Security and IT Infrastructure Protection). Collaboration with a number of entities is also critical for success. While processes and existing needs differ, the nation can assist in incorporating privacy and civil liberties, as part of a comprehensive cybersecurity program. Major initiatives in this program include information security training, awareness and education.
Next week’s article will delve into specific risks and mitigation measures.
John Vacca is an information technology consultant, professional writer, editor, reviewer and internationally-known, best-selling author based in Pomeroy, Ohio. Since 1982, John has authored 77 books , including Computer And Information Security Handbook, along with the three additional derivative books that go with it: Managing Information Security, Network and System Security and Cyber Security and IT Infrastructure Protection; and, has written more than 600 articles. John was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA’s space station program (Freedom) and the International Space Station Program, from 1988 until his retirement from NASA in 1995. In addition, John is also an independent online book reviewer. Furthermore, John was one of the security consultants for the MGM movie titled: “AntiTrust,” which was released on January 12, 2001. Finally, John can be reached at firstname.lastname@example.org and at www.johnvacca.com.