jerry cochran principal security strategist trustworthy computing group microsoft corporation
TRANSCRIPT
Jerry CochranJerry CochranPrincipal Security StrategistPrincipal Security StrategistTrustworthy Computing Group Trustworthy Computing Group Microsoft CorporationMicrosoft Corporation
IT/Telecom
Energy
Transportation
Banking/Finance
Govt Service
s
Cybersecurity
Critical Infrastructures
Critical Information InfrastructureCross-cutting ICT interdependencies among all sectors
Non-essential IT systems
Ente
rpris
esCo
nsum
ers
Those practices and procedures that enable the secure use and operation of cyber tools and technologies
War Terrorism
Convergence
Cyber Attacks
Globalization
Natural Disasters
Laws and Regulations
Emergency Response Plans
Directives/Policies
National Strategies
1. Define Goals and Roles2. Identify and Prioritize Critical Functions3. Continuously Assess and Manage Risks4. Build Operational Response Frameworks5. Create Public-Private Partnerships6. Build Security/Resiliency into Operations
Government and infrastructure owners/operators:
Collaboratively pursue these core enablers of resiliency and infrastructure security
Assess Risks
Identify Controls and Mitigations
Implement Controls
Measure Effectiveness
Government“What’s the goal”
Determine Acceptable Risk Levels
Infrastructure“Prioritize Risks”
Public-Private Partnership“What’s critical”
Operators“Best control solutions”
Define Policy and Identify Roles
Incidences, emerging issues, & changing
conditions :
constantly update risk assessment
Establish an Establish an Open DialogOpen Dialog
Understand the Understand the critical critical functions, functions, infrastructure infrastructure elements, and elements, and key resources key resources necessary for: necessary for:
delivering delivering essential essential services, services, maintaining the maintaining the orderly orderly operations of operations of the economy, the economy, and and helping to helping to ensure public ensure public safety.safety.
Critical Function
Critical Function
Key Resource
Key Resource
Infrastructure Element
Infrastructure Element
Critical Function
Key Resource
Infrastructure Element
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Supply
Chain
Understand Interdependen
cies
Protection is the Protection is the Continuous Application of Continuous Application of Risk ManagementRisk Management
• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy
• Define Functional Requirements• Evaluate Proposed Controls• Estimate Risk Reduction/Cost Benefit• Select Mitigation Strategy
• Evaluate Program Effectiveness
• Leverage Findings to Improve Risk Management
• Evaluate Program Effectiveness
• Leverage Findings to Improve Risk Management
• Identify Key Functions• Assess Risks • Evaluate Consequences
• Identify Key Functions• Assess Risks • Evaluate Consequences
Incidences, emerging issues, & changing
conditions :
constantly update risk assessment
Goal: Improve Operational CoordinationGoal: Improve Operational CoordinationPublic- and private-sector organizations alike can benefit from developing joint plans for managing emergencies, including recovering critical functions in the event of significant incidentsUnified Concept of Operations for Public and Private Sector CERTsEmergency response plans can mitigate damage and promote resiliency.
Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
Testing and exercising emergency response plans promotes trust, understanding, and greater operational coordination among public- and private-sector organizations.
Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions.
Collaboration is key to protecting critical Collaboration is key to protecting critical infrastructureinfrastructure
Security is a Security is a continuous processcontinuous process
Infrastructure Infrastructure OperationsOperations
Management
Technical
Operational
SecuritySecurityControlsControls
Critical Critical FunctionsFunctions(Global, National, (Global, National, Local)Local)
Fosters increased security and resiliency for the critical functions that support safety, security, and commerce at all levels
Building security and resiliency into infrastructure operations