Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Industrial Engineering
  3. Supply Chain Management

Resiliency Rules: 7 Steps for Resiliency in Critical Infrastructure Protection

advertisement 
Resiliency Rules:
7 Steps for Resiliency in
Critical Infrastructure
Protection
Phil Sodoma
Director, International Security Strategy
Trustworthy Computing Group
Microsoft
Resiliency Rules
Government,
infrastructure
owners/operators
can collaboratively
pursue these core
enablers of
resiliency and
infrastructure
security
7 Steps for Resiliency in
Critical Infrastructure
Protection
CIP Goals
Establishing Clear Goals
is Central to Success
Understanding Roles
Promotes Coordination
CIP Roles
Government
Define Policy and Identify Roles
“What’s the goal”
Determine Acceptable Risk Levels
Public-Private Partnership
“What’s critical”
Incidences, emerging
issues, & changing
conditions :
Infrastructure
“Prioritize Risks”
M easure
Effectiveness
Assess Risks
Implement
Controls
Identify
Controls and
M itigations
Operators
“Best control solutions”
constantly update risk
assessment
Define Roles
CIIP
Coordinator
(Executive
Sponsor)
Understanding roles and
objectives promotes trust
and efficiency
Public-Private
Partnerships
Infrastructure
Owners and
Operators
Law
Enforcement
SectorSpecific
Agency
Government
Computer
Emergency
Response Team
Shared
IT Vendors
and
Solution
Providers
Private
Identify and Prioritize
Critical Functions
Collaborate to understand
Interdependencies
y Establish an open
Critical Function
Infrastructure
Element
Supply
Chain
Supply
Chain
dialogue to
understand the
Key Resource
Supply
Chain
Critical Function
Infrastructure
Element
Critical Function
Infrastructure
Element
Supply
Chain
Supply
Chain
critical functions,
infrastructure elements,
and key resources
necessary for:
Supply
Chain
Key Resource
Supply
Chain
Supply
Chain
Key Resource
Supply
Chain
Supply
Chain
Understand
Interdependencies
y delivering essential
services,
y maintaining the orderly
operations of the
economy, and
y helping to ensure public
safety.
Continuously Assess
and Manage Risks
• Evaluate Program
Effectiveness
• Leverage Findings to
Improve Risk Management
Protection is the Continuous
Application of Risk
Management
• Identify Key Functions
• Assess Risks
• Evaluate Consequences
Incidences, emerging
issues, & changing
conditions :
constantly update risk
assessment
• Define Functional Requirements
• Evaluate Proposed Controls
• Estimate Risk Reduction/Cost Benefit
• Select Mitigation Strategy
Establish and
Exercise Emergency
plans
y
Improve Operational
Coordination
Public- and private-sector organizations alike can benefit from developing joint
plans for managing emergencies, including recovering critical functions in the
event of significant incidents, including but not limited to:
y
y
y
y
natural disasters
terrorist attacks
technological failures
accidents.
y
Emergency response plans can mitigate damage and promote resiliency.
y
Effective emergency response plans are generally short and highly actionable so
they can be readily tested, evaluated, and implemented.
y
Testing and exercising emergency response plans promotes trust,
understanding, and greater operational coordination among public- and privatesector organizations.
y
Exercises also provide an important opportunity to identify new risk factors that
can be addressed in response plans or controlled through regular risk
management functions.
Create Public-Private
Partnerships
Collaboration is key to
protecting critical
infrastructure
Build Security &
Resiliency into
Infrastructure
Building security and resiliency
into infrastructure operations
Security
Controls
Security is a continuous
process
Critical Functions
(Global, National, Local)
Infrastructure
Operations
Management
Technical
Operational
Fosters increased security and
resiliency for the critical functions
that support safety, security and
commerce at all levels
Update and Innovate
Technology/Processes
Mitigate threats by keeping
technology current and
practices innovative
Questions?
Appendix
Security Development
Lifecycle (SDL)
Security is a continuous
process
The Security
Development Lifecycle
Product
Inception
Assign
security
advisor
Identify
security
milestones
Plan
security
integration
into product
Design
Define
security
architecture
and design
guidelines
Document
elements of
software
attack
surface
Threat
Modeling
Standards,
best
practices,
and tools
Apply coding
and testing
standards
Apply
security tools
(fuzzing
tools, staticanalysis
tools, etc.)
Driving Change Across
Microsoft
Security Push
Security code
reviews
Focused
security
testing
Review
against new
threats
Meet signoff
criteria
Final Security
Review
Independent
review
conducted by
the security
team
Penetration
testing
Archiving of
compliance
info
RTM and
Deployment
Signoff
Microsoft Innovations Drive
Service
s
Edge
Ne
tw
or
k
Server
Applications
Ac
ce
ss
Pr
ot
ec
t io
n
Enc
ryp
t i ng
File
Sys
BitL
tem
ock
(EF
er™
S)
Information
Protection
Client and
Server OS
(N
AP
)
Identity
Management
Systems
Management
Active Directory
Federation Services
(ADFS)
Guidance
Developer
Tools
Related documents
PSYCHOLOGY MONTH 2016 Department of Psychology, Dufferin-Peel CDSB
PSYCHOLOGY MONTH 2016 Department of Psychology, Dufferin-Peel CDSB
This work is licensed under a . Your use of this
This work is licensed under a . Your use of this
ITU slides
ITU slides
This work is licensed under a . Your use of this
This work is licensed under a . Your use of this
Editorial: Stress Among Health Care Professionals - The Need for Resiliency
Editorial: Stress Among Health Care Professionals - The Need for Resiliency
Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure
Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure
Download
advertisement