Title: Information Technology IT Sector
1Information Technology (IT) Sector
IT GCC
DRAFT IT Sector Specific Plan (SSP)
Webinar November 17, 2006
2Agenda
- Welcome
- Larry Clinton, Internet Security Alliance (ISA)
- Background and Policy Landscape
- Cheri McGuire, Director Strategic Initiatives
Branch, National Cyber Security Division (NCSD) - DRAFT IT SSP
- Paul Kurtz, Cyber Security Industry Alliance
(CSIA) - Paul Nicholas, Microsoft Corporation
- Questions
Thank you Internet Security Alliance and CyLab
for hosting todays webinar
3Purpose of IT SSP Webinar
- Encourage participation in the joint public and
private sector effort to develop an IT SSP - Ensure that the plan-
- is developed as a joint public and private sector
effort based on interaction and exchange - meets the needs of both the private and public
sector security partners - is useable and useful for both private and public
sector security partners - Discuss the challenges and opportunities
presented by this effort - Institute a non-regulatory approach
4Background and Policy Landscape
IT GCC
5National Framework for Homeland Security
DRAFT IT-SSP
6Sector Partnership Model
IT Sector Coordinating Council (SCC)
Critical Infrastructure Partnership Advisory
Council
7National Infrastructure Protection Plan (NIPP)
Goal
8NIPP Risk Management Framework
IT Sector infrastructure is comprised of functions
NIPP Risk Management Framework
9Cyber Security in the NIPP Framework
The Department of Homeland Security's (DHS) NCSD
acts as the SSA and collaborates with the IT
Sector security partners
IT Sector Producer and Providers
Responsibility for the Internet is shared by
both the IT Sector and the Communications Sector.
10DHS and NCSD
Secretary
Under Secretary for Science Technology
Under Secretary for Preparedness
Under Secretary for Management
Assistant Secretary for Policy
Assistant Secretary for Grants and Training
Assistant Secretary for Infrastructure Protection
Fire Administration
Assistant Secretary for Cyber Security
Telecommunications
National Capital Region Director
Chief Medical Officer
National Communications System
National Cyber Security Division (includes
US-CERT)
11DRAFT IT SSP
IT GCC
12Who is the IT Sector?
- IT Sector entities include, but are not limited
to the following - Domain Name System root and Generic Top Level
Domain operators - Internet Service Providers/ Internet backbone
providers/ Internet portal and e-mail providers - Networking hardware companies (e.g., fiber-optics
makers and line acceleration hardware
manufacturers) and other hardware manufacturers
(e.g., PC and server manufacturers and
information storage) - Software companies
- Security services vendors
- Communications companies that characterize
themselves as having an IT role - Edge and core service providers
- IT system integrators
- IT security associations
- Federal, State, and local governments participate
in the IT Sector as providers of government IT
services that are designed to meet the needs of
citizens, businesses, and employees.
- Operating Charter of the Information Technology
Sector Coordinating Council, January 24, 2006
https//www.it-isac.org/documents/itscc/index.php
13What is IT Sector infrastructure?
- The IT Sector infrastructure is comprised of
functions needed to produce and provide IT
products, services, and practices which are
resilient to threats and can be rapidly recovered - Critical IT Sector functions are provided by
numerous entities often owners and operators and
their respective associationsthat produce and
provide hardware, software, IT systems, and
services
14What is the DRAFT IT Sector Specific Plan?
- The DRAFT IT SSP was collaboratively developed by
the NCSD, the IT Sector Coordinating Council
(SCC) and the IT Government Coordinating Council
(GCC) - The DRAFT IT SSP is a policy and planning
document that provides guidance on how public and
private partners will work together to protect
critical IT Sector infrastructure it is not an
operational document.
15Objective
- The objective of the DRAFT IT SSP is to
- outline the IT sectors implementation of the
NIPP risk management framework, - provide a statement of security goals and
objectives, - identify and align initiatives to meet these
goals, - identify resource needs and track implementation
to ensure that the goals can be met, and - create an ongoing process for coordinated private
and public sector planning.
16Vision Statement
- Working together, public and private security
partners will continue to prevent, prepare for,
protect against, respond to, and recover from
incidents of national significance - including those cyber and physical incidents that
threaten, disrupt, or cripple IT Sector
infrastructure, technological emergencies, or
Presidentially declared disaster - IT Sector public and private security partners
will continue promoting infrastructure resilience
to support - the Federal Governments performance of essential
national security missions and preservation of
general public health and safety, - state and local governments ability to maintain
order and to deliver minimum essential public
services, and - the orderly functioning of the economy.
based on Homeland Security Presidential
Directive Seven Critical Infrastructure
Identification, Prioritization, and Protection
17DRAFT IT SSP Security Goals
Prevention and Protection through Risk Management
Situational Awareness
Response, Recovery Reconstitution
18Prevention and Protection through Risk Management
- Identify and update as necessary critical IT
Sector functions that support the Nations
security, economy, public health and safety. - Assess and prioritize risks to critical IT Sector
functions, including understanding emerging
threats, vulnerabilities, and technology, and
mapping them against the infrastructure to enable
prioritization of protective efforts. - Tailor protective measures, which mitigate
associated consequences, vulnerabilities and
threats, to accommodate the diversity of the IT
Sector and develop and share security best
practices and protective measures with IT Sector
security partners and other infrastructure
sectors. - Encourage IT Sector organizations to adopt risk
management approaches which improve the overall
posture of the Sector.
19Situational Awareness
- Collaborate, develop, and share appropriate
threat and vulnerability information between the
IT Sector and the government, including
developing indications and warnings. - Expand strategic analytical capabilities that
enable public-private collaboration to
proactively identify potential future incidents.
20Response, Recovery Reconstitution
- Maintain communications, including establishing
mechanisms and processes to communicate with
other sectors, in all contingencies and test
communication plans and programs annually. - Maintain national and international incident
response and coordination plans and procedures
and exercise them annually to ensure readiness
and resiliency. - Develop plans, protocols, and procedures to
ensure that critical sector functions can be
rapidly reconstituted after an incident. - Collaborate with law enforcement to rapidly
identify and mitigate criminal activities that
could potentially harm the sectors
infrastructure.
21Critical IT Sector Functions
- IT-SCC and IT GCC Subject Matter Experts (SME)
collaboratively identified six critical functions - Producing and providing-
- IT Products and Services
- Incident Management Capabilities
- Domain Name Resolution Services
- Identity Management and Trust Support Services
- Internet-based Content, Information and
Communications Services - Internet Routing, Access and Connection Services
- in close collaboration with the Communications
Sector
22National Risk Management Approach
Identify Critical IT Sector Functions
Assess Threats
Mitigations
Apply threats to critical functions
Assess Vulnerabilities
Mitigations
Assess Consequences
Mitigations
- To assess sector-wide risk not for individual
IT Sector entities
23Develop Implement Protective Programs
24Information Sharing
- Discusses a vision and actions for an enhanced
information sharing framework that addresses - Focal points for information sharing within the
IT Sector - Policy-related issues
- IT SCC
- IT GCC
- Operational information exchange
- IT Information Sharing and Analysis Center
(IT-ISAC) - United States Computer Emergency Readiness Team
(US-CERT) - Multi-State ISAC (MS-ISAC) for the Federal,
State, and local government - Other Information Sharing and Analysis Centers
(ISAC) as appropriate - Policies and procedures for sharing and reporting
incidents - Protecting and disseminating sensitive
(government and industry) proprietary information - Mechanisms for communicating and disseminating
information
25Research and Development (RD)
- Leverages Presidents Information Technology
Advisory Committee (PITAC) and National Science
and Technology Councils (NSTC) Federal Cyber
Security and Information Assurance (CSIA) RD
Plan - Identifies Nine Key RD Focus Areas
- Cyber Situational Awareness and Response
- Forensics
- Identity Management Authentication,
Authorization, and Accounting - Intrinsic Infrastructure Protocols Security
- Modeling and Testing
- Process Control Systems Security
- Secure Coding and Software Engineering
- Scalable and Composable Secure Systems
- Trust and Privacy
26Tracking SSP Implementation
- First year focus is refining risk management and
protective programs and demonstrating progress in
implementing the actions described in the IT SSP
Proposed IT Sector Measurement Approach
?
27How can you participate?
- Download the IT SSP at
http//www.it-scc.org/documents/itscc/IT_SSP_Secon
d_Draft_v2.pdf - Review and comment on IT SSP by Dec 1 send
comments to itssp_comments_at_it-isac.org - Facilitate implementation of the IT SSP
- Join the IT SCC and/or IT-ISAC
IT SCC www.it-scc.org IT-ISAC
www.it-isac.org
28Questions?
29Backup Slides
30IT SCC Value
- Public Policy Input and Guidance
- Provides members the opportunity to shape
national CIP policy by working directly with
industry and government decision makers. - Cross Sector Collaboration
- Work with telecom and other sectors to identify
opportunities for collaboration - Corporate Responsibility and Thought Leadership
- Participation in the SCC demonstrates your
companys homeland security commitment to your
customers and government colleagues
31 IT-ISAC Value
- Access to Sensitive Threat, Vulnerability and
Analytical Products Delivers, to members and
government, vendor neutral, private sector
driven, analysis of the security of, and threats
to, the Information Infrastructure. - Collaboration in a Trusted Forum Provides a
vetted, trusted and confidential forum for
members to share sensitive information and
conduct collaborative analysis. - Anonymity for Members Provides members the
ability to share critical and sensitive
information within industry and to government
without attribution. - Access to Cross Sector and Government
Information, Contacts and Tools Provides
information and analysis from other critical
infrastructure sectors and governments, and the
opportunity through the ISAC to provide IT sector
input into decisions. - Emergency Response Coordination, Operational
Practices, and Exercises Provides subject matter
expertise, through the operations center and
members, needed to coordinate sector wide
responses to incidents and emergencies affecting
the Information Infrastructure.
32(No Transcript)