DHS publishes sector-specific protection plan for IT infrastructure

Computerworld - The U.S. Department of Homeland Security (DHS) yesterday released a broad blueprint of actions that technology companies and government entities can take to mitigate terrorist and other threats against the nation's IT infrastructure.

The Sector Specific Plan (SSP) for IT was released as part of a broader National Infrastructure Protection Plan (NIPP) developed by the DHS under a 2003 presidential mandate. That mandate called for the development of risk-mitigation strategies for protecting critical infrastructure targets in 17 specific sectors against a range of terrorist and natural threats.

The plans are designed to help infrastructure stakeholders in each area to identify and prioritize key assets that need to be protected and to provide recommendations on how to go about doing that. The plans for each of the 17 sectors were developed jointly by participants from government and private industry, which owns a large portion of the critical infrastructure in question.

According to an official description, the IT sector specific plan establishes shared security goals and initiatives, describes roles and responsibilities for each of the stakeholders, and provides opportunities for integrating public and private sector preparedness efforts and technologies. Among the issues that are discussed in the document are strategies for preventing, protecting and responding to threats to the IT infrastructure, identifying vulnerabilities, analyzing and sharing threat information, data recovery and out-of-band data delivery. It also lays out a plan for measuring progress and assigning responsibility for implementing recommendations.

The stakeholders in the IT sector include hardware and software companies, network and security vendors, Domain Name System and Top Level Domain operators and Internet Service Providers.

"It's not just a puff piece," said John Sabo, president of the IT-Information Sharing and Analysis Center (IT-ISAC) and director of global government relations at CA Inc. "It's very much saying these are our challenges and here's a set of action steps we need to take if we are to mitigate those challenges," Sabo said. IT-ISAC was one of the entities involved in helping develop the sector-specific plan for IT.

At the same time, though, it is important that the strategies spelled out in the sector-specific plan are used, Sabo said. "Planning is very, very important. But without effective implementation in an operational environment, such plans will have no value. We believe that operational capability is the end game," he said.

"We like the collaborative approach that [the Sector Specific Plan] was based on," said Kevin Simzer, senior vice president of product development of Addison, Texas-based security vendor Entrust Inc. "I personally like the accountability and the measurement [of progress]" embodied in the plan, Simzer said. "It is consumable by government as sort of a visionary document. It is consumable by industry in that it gives us a sense of where the gaps are and where we need to head. With it, we can all start rowing in the same direction," he said.

Read more about security in Computerworld's Security Knowledge Center.