Resiliency Rules 7 Steps for Resiliency in Critical Infrastructure

Document Sample
Resiliency Rules 7 Steps for Resiliency in Critical Infrastructure Powered By Docstoc
					Resiliency Rules:
 7 Steps for Resiliency in
 Critical Infrastructure
 Protection


                 Phil Sodoma
   Director, International Security Strategy
       Trustworthy Computing Group
                   Microsoft
                      7 Steps for Resiliency in
 Resiliency Rules     Critical Infrastructure
                      Protection




Government,
infrastructure
owners/operators
can collaboratively
pursue these core
enablers of
resiliency and
infrastructure
security
            Establishing Clear Goals
CIP Goals   is Central to Success
                                                 Understanding Roles
CIP Roles                                        Promotes Coordination


   Government                 Define Policy and Identify Roles
   “What’s the goal”

                                    Determine Acceptable Risk Levels
   Public-Private Partnership
   “What’s critical”                                                   Incidences, emerging
                                                                        issues, & changing
                                                                            conditions :
   Infrastructure
                                                                       constantly update risk
   “Prioritize Risks”              M easure                                assessment
                                                   Assess Risks
                                 Effectiveness


   Operators                                         Identify
                                  Implement        Controls and
   “Best control solutions”
                                   Controls        M itigations
                                  Understanding roles and
Define Roles                      objectives promotes trust
                                  and efficiency



        CIIP
        Coordinator                             Infrastructure
        (Executive                              Owners and
        Sponsor)         Public-Private
                                                Operators
                         Partnerships
Law
Enforcement
                                                 IT Vendors
              Sector-    Computer                and
              Specific   Emergency               Solution
              Agency     Response Team           Providers



 Government               Shared                   Private
Identify and Prioritize                                          Collaborate to understand
Critical Functions                                               Interdependencies




         Critical Function
                                                                    Establish an open
                                                                    dialogue to
 Infrastructure
                    Key Resource
                                                                    understand the
    Element
                                                                    critical functions,
                                                                    infrastructure elements,
Supply
Chain
           Supply
           Chain
                    Supply
                    Chain             Critical Function             and key resources
                                                                    necessary for:
                                Infrastructure
                                                  Key Resource
                                                                       delivering essential
                                   Element
                                                                       services,
     Critical Function
                                                                       maintaining the orderly
                                        Supply
                                        Chain
                                                 Supply
                                                 Chain
                                                          Supply
                                                          Chain
                                                                       operations of the
                                                                       economy, and
 Infrastructure
    Element
                    Key Resource                                       helping to ensure public
                                                                       safety.
Supply     Supply   Supply   Supply             Understand
Chain      Chain    Chain    Chain          Interdependencies
Continuously Assess         Protection is the Continuous
                            Application of Risk
and Manage Risks            Management



• Evaluate Program
                                    • Identify Key Functions
  Effectiveness
                                    • Assess Risks
• Leverage Findings to
                                    • Evaluate Consequences
  Improve Risk Management


                                                    Incidences, emerging
                                                     issues, & changing
                                                         conditions :

                                                    constantly update risk
                                                        assessment




                            • Define Functional Requirements
                            • Evaluate Proposed Controls
                            • Estimate Risk Reduction/Cost Benefit
                            • Select Mitigation Strategy
Establish and
                                              Improve Operational
Exercise Emergency                            Coordination
plans
Public- and private-sector organizations alike can benefit from developing joint
plans for managing emergencies, including recovering critical functions in the
event of significant incidents, including but not limited to:
  natural disasters
  terrorist attacks
  technological failures
  accidents.

Emergency response plans can mitigate damage and promote resiliency.

Effective emergency response plans are generally short and highly actionable so
they can be readily tested, evaluated, and implemented.

Testing and exercising emergency response plans promotes trust,
understanding, and greater operational coordination among public- and private-
sector organizations.

Exercises also provide an important opportunity to identify new risk factors that
can be addressed in response plans or controlled through regular risk
management functions.
Create Public-Private   Collaboration is key to
                        protecting critical
Partnerships            infrastructure
Build Security &
Resiliency into                        Security is a continuous
                                       process
Infrastructure
 Building security and resiliency   Critical Functions
 into infrastructure operations     (Global, National, Local)



                 Infrastructure
 Security
 Controls        Operations

Management

 Technical

                                    Fosters increased security and
Operational
                                    resiliency for the critical functions
                                    that support safety, security and
                                    commerce at all levels
Update and Innovate    Mitigate threats by keeping
                       technology current and
Technology/Processes   practices innovative
Questions?
Appendix
Security Development   Security is a continuous
Lifecycle (SDL)        process
The Security                                                 Driving Change Across
                                                             Microsoft
Development Lifecycle



Product          Design           Standards,         Security Push     Final Security
  Inception        Define           best               Security code     Review
  Assign           security         practices,         reviews           Independent
  security         architecture     and tools          Focused           review
  advisor          and design       Apply coding       security          conducted by
  Identify         guidelines       and testing        testing           the security
  security         Document         standards          Review            team
  milestones       elements of      Apply              against new       Penetration
  Plan             software         security tools     threats           testing
  security         attack           (fuzzing           Meet signoff      Archiving of
  integration      surface          tools, static-     criteria          compliance
  into product     Threat           analysis                             info
                   Modeling         tools, etc.)
                                                                       RTM and
                                                                         Deployment
                                                                         Signoff
     Microsoft Innovations Drive
        Service
        s
                               Edge
                                                                    Enc
                                                                       ryp
                                                                          t i ng
                                                                                 File
Ne                                                   Server               BitL        Sys
  tw                                                 Applications               ock      tem
     or                                                                             er™      (EF
        k                                                                                       S)
            Ac
               ce
                 ss                                                                                  Information
                    Pr                                                                               Protection
                       ot
                          ec                                                     Client and
                            t io
                                n
                                    (N
                                                                                 Server OS
                                      AP
                                         )                                                                Identity
                                                                                                           Management



                                                                                                          Systems
                                                Active Directory                                          Management
                                             Federation Services
                                                         (ADFS)


                                                                                                              Guidance

                                                                                           Developer
                                                                                           Tools