Information Technology IT Sector

1
Information Technology (IT) Sector
IT GCC
DRAFT IT Sector Specific Plan (SSP)
Webinar November 17, 2006
2
Agenda

• Welcome
• Larry Clinton, Internet Security Alliance (ISA)
• Background and Policy Landscape
• Cheri McGuire, Director Strategic Initiatives
  Branch, National Cyber Security Division (NCSD)
• DRAFT IT SSP
• Paul Kurtz, Cyber Security Industry Alliance
  (CSIA)
• Paul Nicholas, Microsoft Corporation
• Questions

Thank you Internet Security Alliance and CyLab
for hosting todays webinar
3
Purpose of IT SSP Webinar

• Encourage participation in the joint public and
  private sector effort to develop an IT SSP
• Ensure that the plan-
• is developed as a joint public and private sector
  effort based on interaction and exchange
• meets the needs of both the private and public
  sector security partners
• is useable and useful for both private and public
  sector security partners
• Discuss the challenges and opportunities
  presented by this effort
• Institute a non-regulatory approach

4
Background and Policy Landscape
IT GCC

• November 2006

5
National Framework for Homeland Security
DRAFT IT-SSP
6
Sector Partnership Model
IT Sector Coordinating Council (SCC)
Critical Infrastructure Partnership Advisory
Council
7
National Infrastructure Protection Plan (NIPP)
Goal
8
NIPP Risk Management Framework
IT Sector infrastructure is comprised of functions
NIPP Risk Management Framework
9
Cyber Security in the NIPP Framework
The Department of Homeland Security's (DHS) NCSD
acts as the SSA and collaborates with the IT
Sector security partners
IT Sector Producer and Providers
Responsibility for the Internet is shared by
both the IT Sector and the Communications Sector.
10
DHS and NCSD
Secretary
Under Secretary for Science Technology
Under Secretary for Preparedness
Under Secretary for Management
Assistant Secretary for Policy
Assistant Secretary for Grants and Training
Assistant Secretary for Infrastructure Protection
Fire Administration
Assistant Secretary for Cyber Security
Telecommunications
National Capital Region Director
Chief Medical Officer
National Communications System
National Cyber Security Division (includes
US-CERT)
11
DRAFT IT SSP
IT GCC

• November 2006

12
Who is the IT Sector?

• IT Sector entities include, but are not limited
  to the following
• Domain Name System root and Generic Top Level
  Domain operators
• Internet Service Providers/ Internet backbone
  providers/ Internet portal and e-mail providers
• Networking hardware companies (e.g., fiber-optics
  makers and line acceleration hardware
  manufacturers) and other hardware manufacturers
  (e.g., PC and server manufacturers and
  information storage)
• Software companies
• Security services vendors
• Communications companies that characterize
  themselves as having an IT role
• Edge and core service providers
• IT system integrators
• IT security associations
• Federal, State, and local governments participate
  in the IT Sector as providers of government IT
  services that are designed to meet the needs of
  citizens, businesses, and employees.

• Operating Charter of the Information Technology
  Sector Coordinating Council, January 24, 2006
  https//www.it-isac.org/documents/itscc/index.php

13
What is IT Sector infrastructure?

• The IT Sector infrastructure is comprised of
  functions needed to produce and provide IT
  products, services, and practices which are
  resilient to threats and can be rapidly recovered
• Critical IT Sector functions are provided by
  numerous entities often owners and operators and
  their respective associationsthat produce and
  provide hardware, software, IT systems, and
  services

14
What is the DRAFT IT Sector Specific Plan?

• The DRAFT IT SSP was collaboratively developed by
  the NCSD, the IT Sector Coordinating Council
  (SCC) and the IT Government Coordinating Council
  (GCC)
• The DRAFT IT SSP is a policy and planning
  document that provides guidance on how public and
  private partners will work together to protect
  critical IT Sector infrastructure it is not an
  operational document.

15
Objective

• The objective of the DRAFT IT SSP is to
• outline the IT sectors implementation of the
  NIPP risk management framework,
• provide a statement of security goals and
  objectives,
• identify and align initiatives to meet these
  goals,
• identify resource needs and track implementation
  to ensure that the goals can be met, and
• create an ongoing process for coordinated private
  and public sector planning.

16
Vision Statement

• Working together, public and private security
  partners will continue to prevent, prepare for,
  protect against, respond to, and recover from
  incidents of national significance
• including those cyber and physical incidents that
  threaten, disrupt, or cripple IT Sector
  infrastructure, technological emergencies, or
  Presidentially declared disaster
• IT Sector public and private security partners
  will continue promoting infrastructure resilience
  to support
• the Federal Governments performance of essential
  national security missions and preservation of
  general public health and safety,
• state and local governments ability to maintain
  order and to deliver minimum essential public
  services, and
• the orderly functioning of the economy.

based on Homeland Security Presidential
Directive Seven Critical Infrastructure
Identification, Prioritization, and Protection
17
DRAFT IT SSP Security Goals
Prevention and Protection through Risk Management
Situational Awareness
Response, Recovery Reconstitution
18
Prevention and Protection through Risk Management

• Identify and update as necessary critical IT
  Sector functions that support the Nations
  security, economy, public health and safety.
• Assess and prioritize risks to critical IT Sector
  functions, including understanding emerging
  threats, vulnerabilities, and technology, and
  mapping them against the infrastructure to enable
  prioritization of protective efforts.
• Tailor protective measures, which mitigate
  associated consequences, vulnerabilities and
  threats, to accommodate the diversity of the IT
  Sector and develop and share security best
  practices and protective measures with IT Sector
  security partners and other infrastructure
  sectors.
• Encourage IT Sector organizations to adopt risk
  management approaches which improve the overall
  posture of the Sector.

19
Situational Awareness

• Collaborate, develop, and share appropriate
  threat and vulnerability information between the
  IT Sector and the government, including
  developing indications and warnings.
• Expand strategic analytical capabilities that
  enable public-private collaboration to
  proactively identify potential future incidents.

20
Response, Recovery Reconstitution

• Maintain communications, including establishing
  mechanisms and processes to communicate with
  other sectors, in all contingencies and test
  communication plans and programs annually.
• Maintain national and international incident
  response and coordination plans and procedures
  and exercise them annually to ensure readiness
  and resiliency.
• Develop plans, protocols, and procedures to
  ensure that critical sector functions can be
  rapidly reconstituted after an incident.
• Collaborate with law enforcement to rapidly
  identify and mitigate criminal activities that
  could potentially harm the sectors
  infrastructure.

21
Critical IT Sector Functions

• IT-SCC and IT GCC Subject Matter Experts (SME)
  collaboratively identified six critical functions
• Producing and providing-
• IT Products and Services
• Incident Management Capabilities
• Domain Name Resolution Services
• Identity Management and Trust Support Services
• Internet-based Content, Information and
  Communications Services
• Internet Routing, Access and Connection Services

• in close collaboration with the Communications
  Sector

22
National Risk Management Approach
Identify Critical IT Sector Functions
Assess Threats
Mitigations
Apply threats to critical functions
Assess Vulnerabilities
Mitigations
Assess Consequences
Mitigations

• To assess sector-wide risk not for individual
  IT Sector entities

23
Develop Implement Protective Programs
24
Information Sharing

• Discusses a vision and actions for an enhanced
  information sharing framework that addresses
• Focal points for information sharing within the
  IT Sector
• Policy-related issues
• IT SCC
• IT GCC
• Operational information exchange
• IT Information Sharing and Analysis Center
  (IT-ISAC)
• United States Computer Emergency Readiness Team
  (US-CERT)
• Multi-State ISAC (MS-ISAC) for the Federal,
  State, and local government
• Other Information Sharing and Analysis Centers
  (ISAC) as appropriate
• Policies and procedures for sharing and reporting
  incidents
• Protecting and disseminating sensitive
  (government and industry) proprietary information
• Mechanisms for communicating and disseminating
  information

25
Research and Development (RD)

• Leverages Presidents Information Technology
  Advisory Committee (PITAC) and National Science
  and Technology Councils (NSTC) Federal Cyber
  Security and Information Assurance (CSIA) RD
  Plan
• Identifies Nine Key RD Focus Areas
• Cyber Situational Awareness and Response
• Forensics
• Identity Management Authentication,
  Authorization, and Accounting
• Intrinsic Infrastructure Protocols Security
• Modeling and Testing
• Process Control Systems Security
• Secure Coding and Software Engineering
• Scalable and Composable Secure Systems
• Trust and Privacy

26
Tracking SSP Implementation

• First year focus is refining risk management and
  protective programs and demonstrating progress in
  implementing the actions described in the IT SSP

Proposed IT Sector Measurement Approach
?
27
How can you participate?

• Download the IT SSP at
  http//www.it-scc.org/documents/itscc/IT_SSP_Secon
  d_Draft_v2.pdf
• Review and comment on IT SSP by Dec 1 send
  comments to itssp_comments_at_it-isac.org
• Facilitate implementation of the IT SSP
• Join the IT SCC and/or IT-ISAC

IT SCC www.it-scc.org IT-ISAC
www.it-isac.org
28
Questions?
29
Backup Slides
30
IT SCC Value

• Public Policy Input and Guidance
• Provides members the opportunity to shape
  national CIP policy by working directly with
  industry and government decision makers.
• Cross Sector Collaboration
• Work with telecom and other sectors to identify
  opportunities for collaboration
• Corporate Responsibility and Thought Leadership
• Participation in the SCC demonstrates your
  companys homeland security commitment to your
  customers and government colleagues

31
IT-ISAC Value

• Access to Sensitive Threat, Vulnerability and
  Analytical Products Delivers, to members and
  government, vendor neutral, private sector
  driven, analysis of the security of, and threats
  to, the Information Infrastructure.
• Collaboration in a Trusted Forum Provides a
  vetted, trusted and confidential forum for
  members to share sensitive information and
  conduct collaborative analysis.
• Anonymity for Members Provides members the
  ability to share critical and sensitive
  information within industry and to government
  without attribution.
• Access to Cross Sector and Government
  Information, Contacts and Tools Provides
  information and analysis from other critical
  infrastructure sectors and governments, and the
  opportunity through the ISAC to provide IT sector
  input into decisions.
• Emergency Response Coordination, Operational
  Practices, and Exercises Provides subject matter
  expertise, through the operations center and
  members, needed to coordinate sector wide
  responses to incidents and emergencies affecting
  the Information Infrastructure.

32
(No Transcript)