Critical infrastructure protection survey

Last month, the President's Critical Infrastructure Protection Board released an important survey through which all the readers of this column may be able to contribute to the national security of the U.S. and to long-term improvements in global information security.

The board developed 53 questions speaking to fundamental issues to be addressed for infrastructure protection. SANS has volunteered to receive responses from the public and to collate them for consideration by the National Strategy working group. The survey is found at:

www.sans.org/nationalstrategy.php

The questions are divided into five areas, or levels:

Level 1 - The home user and small business.

Level 2 - Major enterprises.

Level 3 - Sectors of the National Information Infrastructure (e.g., federal government, local governments, private industry, academia...).

Level 4 - National-level institutions and policies.

Level 5 – Global.

I encourage all security and network professionals to think about at least one question and send in your best, clearest exposition of the issues and solutions that should be considered in this important project. Congratulations to SANS for hosting the questionnaire.

I think you will see, even from this small selection of sample questions from various levels shown below, that this effort will stimulate discussion and debate that will have value even beyond the report that will be prepared.

* * *

Sample questions from each of the sections of the survey should give readers the flavor of the seriousness of this survey:

1.2. Assistance: What can be done to make it easier for home users and small businesses to safe guard their systems? Should ISPs perform more of the cybersecurity functions for the home user and small business?

2.1. Responsibility: Who in an enterprise should be responsible for IT security? How often should that person brief the CEO? What role should the board of directors play in oversight of IT security? Should the board require an outside audit and, if so, how often and from whom?

3.A.9. Event Reporting: How can the federal government achieve better compliance with the requirement that departments and agencies report malicious activity on their cybernetworks and systems? What should be done with such reporting?

3.B.6. Connecting Critical Functions to the Internet: Are there sectors that perform critical functions, which could achieve greater security and reliability by operating networks unconnected to the Internet?

3.C.2. Law Enforcement and Emergency Services: In addition to other state and local government IT security requirements and activities, what unique problems and requirements do law enforcement and emergency services agencies confront and how should they be best addressed?

3.D.1. Preventing Attacks from Universities: How can academic freedom of inquiry be maintained while at the same time preventing the large-scale computing power of universities from being hijacked for denial-of-service attacks and other malicious activity directed at other sites?

4.7. Regulation and Market Forces: What is the role of state and federal regulation in achieving IT security? How can market forces be further stimulated to achieve improved IT security as an alternative to regulation? What role can be played by corporate disclosures policies, by internal and external auditors, by boards of directors, by the insurance industry, by liability law, by tax policy?

NEW! 18-month online Master of Science in Information Assurance offered by Norwich University.

Look for the “Computer Security Handbook, 4th Edition” edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or from Amazon.

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.