Information Technology IT Sector - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Information Technology IT Sector

Description:

Cheri McGuire, Director Strategic Initiatives Branch, National Cyber Security Division (NCSD) ... Encourage participation in the joint public and private sector ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 33
Provided by: Informatio
Category:

less

Transcript and Presenter's Notes

Title: Information Technology IT Sector


1
Information Technology (IT) Sector
IT GCC
DRAFT IT Sector Specific Plan (SSP)
Webinar November 17, 2006
2
Agenda
  • Welcome
  • Larry Clinton, Internet Security Alliance (ISA)
  • Background and Policy Landscape
  • Cheri McGuire, Director Strategic Initiatives
    Branch, National Cyber Security Division (NCSD)
  • DRAFT IT SSP
  • Paul Kurtz, Cyber Security Industry Alliance
    (CSIA)
  • Paul Nicholas, Microsoft Corporation
  • Questions

Thank you Internet Security Alliance and CyLab
for hosting todays webinar
3
Purpose of IT SSP Webinar
  • Encourage participation in the joint public and
    private sector effort to develop an IT SSP
  • Ensure that the plan-
  • is developed as a joint public and private sector
    effort based on interaction and exchange
  • meets the needs of both the private and public
    sector security partners
  • is useable and useful for both private and public
    sector security partners
  • Discuss the challenges and opportunities
    presented by this effort
  • Institute a non-regulatory approach

4
Background and Policy Landscape
IT GCC
  • November 2006

5
National Framework for Homeland Security
DRAFT IT-SSP
6
Sector Partnership Model
IT Sector Coordinating Council (SCC)
Critical Infrastructure Partnership Advisory
Council
7
National Infrastructure Protection Plan (NIPP)
Goal
8
NIPP Risk Management Framework
IT Sector infrastructure is comprised of functions
NIPP Risk Management Framework
9
Cyber Security in the NIPP Framework
The Department of Homeland Security's (DHS) NCSD
acts as the SSA and collaborates with the IT
Sector security partners
IT Sector Producer and Providers
Responsibility for the Internet is shared by
both the IT Sector and the Communications Sector.
10
DHS and NCSD
Secretary
Under Secretary for Science Technology
Under Secretary for Preparedness
Under Secretary for Management
Assistant Secretary for Policy
Assistant Secretary for Grants and Training
Assistant Secretary for Infrastructure Protection
Fire Administration
Assistant Secretary for Cyber Security
Telecommunications
National Capital Region Director
Chief Medical Officer
National Communications System
National Cyber Security Division (includes
US-CERT)
11
DRAFT IT SSP
IT GCC
  • November 2006

12
Who is the IT Sector?
  • IT Sector entities include, but are not limited
    to the following
  • Domain Name System root and Generic Top Level
    Domain operators
  • Internet Service Providers/ Internet backbone
    providers/ Internet portal and e-mail providers
  • Networking hardware companies (e.g., fiber-optics
    makers and line acceleration hardware
    manufacturers) and other hardware manufacturers
    (e.g., PC and server manufacturers and
    information storage)
  • Software companies
  • Security services vendors
  • Communications companies that characterize
    themselves as having an IT role
  • Edge and core service providers
  • IT system integrators
  • IT security associations
  • Federal, State, and local governments participate
    in the IT Sector as providers of government IT
    services that are designed to meet the needs of
    citizens, businesses, and employees.
  • Operating Charter of the Information Technology
    Sector Coordinating Council, January 24, 2006
    https//www.it-isac.org/documents/itscc/index.php

13
What is IT Sector infrastructure?
  • The IT Sector infrastructure is comprised of
    functions needed to produce and provide IT
    products, services, and practices which are
    resilient to threats and can be rapidly recovered
  • Critical IT Sector functions are provided by
    numerous entities often owners and operators and
    their respective associationsthat produce and
    provide hardware, software, IT systems, and
    services

14
What is the DRAFT IT Sector Specific Plan?
  • The DRAFT IT SSP was collaboratively developed by
    the NCSD, the IT Sector Coordinating Council
    (SCC) and the IT Government Coordinating Council
    (GCC)
  • The DRAFT IT SSP is a policy and planning
    document that provides guidance on how public and
    private partners will work together to protect
    critical IT Sector infrastructure it is not an
    operational document.

15
Objective
  • The objective of the DRAFT IT SSP is to
  • outline the IT sectors implementation of the
    NIPP risk management framework,
  • provide a statement of security goals and
    objectives,
  • identify and align initiatives to meet these
    goals,
  • identify resource needs and track implementation
    to ensure that the goals can be met, and
  • create an ongoing process for coordinated private
    and public sector planning.

16
Vision Statement
  • Working together, public and private security
    partners will continue to prevent, prepare for,
    protect against, respond to, and recover from
    incidents of national significance
  • including those cyber and physical incidents that
    threaten, disrupt, or cripple IT Sector
    infrastructure, technological emergencies, or
    Presidentially declared disaster
  • IT Sector public and private security partners
    will continue promoting infrastructure resilience
    to support
  • the Federal Governments performance of essential
    national security missions and preservation of
    general public health and safety,
  • state and local governments ability to maintain
    order and to deliver minimum essential public
    services, and
  • the orderly functioning of the economy.

based on Homeland Security Presidential
Directive Seven Critical Infrastructure
Identification, Prioritization, and Protection
17
DRAFT IT SSP Security Goals
Prevention and Protection through Risk Management
Situational Awareness
Response, Recovery Reconstitution
18
Prevention and Protection through Risk Management
  • Identify and update as necessary critical IT
    Sector functions that support the Nations
    security, economy, public health and safety.
  • Assess and prioritize risks to critical IT Sector
    functions, including understanding emerging
    threats, vulnerabilities, and technology, and
    mapping them against the infrastructure to enable
    prioritization of protective efforts.
  • Tailor protective measures, which mitigate
    associated consequences, vulnerabilities and
    threats, to accommodate the diversity of the IT
    Sector and develop and share security best
    practices and protective measures with IT Sector
    security partners and other infrastructure
    sectors.
  • Encourage IT Sector organizations to adopt risk
    management approaches which improve the overall
    posture of the Sector.

19
Situational Awareness
  • Collaborate, develop, and share appropriate
    threat and vulnerability information between the
    IT Sector and the government, including
    developing indications and warnings.
  • Expand strategic analytical capabilities that
    enable public-private collaboration to
    proactively identify potential future incidents.

20
Response, Recovery Reconstitution
  • Maintain communications, including establishing
    mechanisms and processes to communicate with
    other sectors, in all contingencies and test
    communication plans and programs annually.
  • Maintain national and international incident
    response and coordination plans and procedures
    and exercise them annually to ensure readiness
    and resiliency.
  • Develop plans, protocols, and procedures to
    ensure that critical sector functions can be
    rapidly reconstituted after an incident.
  • Collaborate with law enforcement to rapidly
    identify and mitigate criminal activities that
    could potentially harm the sectors
    infrastructure.

21
Critical IT Sector Functions
  • IT-SCC and IT GCC Subject Matter Experts (SME)
    collaboratively identified six critical functions
  • Producing and providing-
  • IT Products and Services
  • Incident Management Capabilities
  • Domain Name Resolution Services
  • Identity Management and Trust Support Services
  • Internet-based Content, Information and
    Communications Services
  • Internet Routing, Access and Connection Services
  • in close collaboration with the Communications
    Sector

22
National Risk Management Approach
Identify Critical IT Sector Functions
Assess Threats
Mitigations
Apply threats to critical functions
Assess Vulnerabilities
Mitigations
Assess Consequences
Mitigations
  • To assess sector-wide risk not for individual
    IT Sector entities

23
Develop Implement Protective Programs
24
Information Sharing
  • Discusses a vision and actions for an enhanced
    information sharing framework that addresses
  • Focal points for information sharing within the
    IT Sector
  • Policy-related issues
  • IT SCC
  • IT GCC
  • Operational information exchange
  • IT Information Sharing and Analysis Center
    (IT-ISAC)
  • United States Computer Emergency Readiness Team
    (US-CERT)
  • Multi-State ISAC (MS-ISAC) for the Federal,
    State, and local government
  • Other Information Sharing and Analysis Centers
    (ISAC) as appropriate
  • Policies and procedures for sharing and reporting
    incidents
  • Protecting and disseminating sensitive
    (government and industry) proprietary information
  • Mechanisms for communicating and disseminating
    information

25
Research and Development (RD)
  • Leverages Presidents Information Technology
    Advisory Committee (PITAC) and National Science
    and Technology Councils (NSTC) Federal Cyber
    Security and Information Assurance (CSIA) RD
    Plan
  • Identifies Nine Key RD Focus Areas
  • Cyber Situational Awareness and Response
  • Forensics
  • Identity Management Authentication,
    Authorization, and Accounting
  • Intrinsic Infrastructure Protocols Security
  • Modeling and Testing
  • Process Control Systems Security
  • Secure Coding and Software Engineering
  • Scalable and Composable Secure Systems
  • Trust and Privacy

26
Tracking SSP Implementation
  • First year focus is refining risk management and
    protective programs and demonstrating progress in
    implementing the actions described in the IT SSP

Proposed IT Sector Measurement Approach
?
27
How can you participate?
  • Download the IT SSP at
    http//www.it-scc.org/documents/itscc/IT_SSP_Secon
    d_Draft_v2.pdf
  • Review and comment on IT SSP by Dec 1 send
    comments to itssp_comments_at_it-isac.org
  • Facilitate implementation of the IT SSP
  • Join the IT SCC and/or IT-ISAC

IT SCC www.it-scc.org IT-ISAC
www.it-isac.org
28
Questions?
29
Backup Slides
30
IT SCC Value
  • Public Policy Input and Guidance
  • Provides members the opportunity to shape
    national CIP policy by working directly with
    industry and government decision makers.
  • Cross Sector Collaboration
  • Work with telecom and other sectors to identify
    opportunities for collaboration
  • Corporate Responsibility and Thought Leadership
  • Participation in the SCC demonstrates your
    companys homeland security commitment to your
    customers and government colleagues

31
IT-ISAC Value
  • Access to Sensitive Threat, Vulnerability and
    Analytical Products Delivers, to members and
    government, vendor neutral, private sector
    driven, analysis of the security of, and threats
    to, the Information Infrastructure.
  • Collaboration in a Trusted Forum Provides a
    vetted, trusted and confidential forum for
    members to share sensitive information and
    conduct collaborative analysis.
  • Anonymity for Members Provides members the
    ability to share critical and sensitive
    information within industry and to government
    without attribution.
  • Access to Cross Sector and Government
    Information, Contacts and Tools Provides
    information and analysis from other critical
    infrastructure sectors and governments, and the
    opportunity through the ISAC to provide IT sector
    input into decisions.
  • Emergency Response Coordination, Operational
    Practices, and Exercises Provides subject matter
    expertise, through the operations center and
    members, needed to coordinate sector wide
    responses to incidents and emergencies affecting
    the Information Infrastructure.

32
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com