Understand how to protect your critical information infrastructure
(CII).
Billions of people use the services of critical infrastructure
providers, such as ambulances, hospitals, and electricity and transport
networks. This number is increasing rapidly, yet there appears to be
little protection for many of these services.
IT solutions have allowed organisations to increase their efficiency in
order to be competitive. However, do we even know or realise what
happens when IT solutions are not working - when they simply don't
function at all or not in the way we expect? This book aims to teach the
IT framework from within, allowing you to reduce dependence on IT
systems and put in place the necessary processes and procedures to help
protect your CII.
Lessons Learned: Critical Information Infrastructure Protection is
aimed at people who organise the protection of critical infrastructure,
such as chief executive officers, business managers, risk managers, IT
managers, information security managers, business continuity managers
and civil servants. Most of the principles and recommendations described
are also valid in organisations that are not critical infrastructure
service providers. The book covers the following:
- Lesson 1: Define critical infrastructure services.
- Lesson 2: Describe the critical infrastructure service and determine
its service level.
- Lesson 3: Define the providers of critical infrastructure services.
- Lesson 4: Identify the critical activities, resources and responsible
persons needed to provide the critical infrastructure service.
- Lesson 5: Analyse and identify the interdependencies of services and
their reliance upon power supplies.
- Lesson 6: Visualise critical infrastructure data.
- Lesson 7: Identify important information systems and assess their
importance.
- Lesson 8: Identify and analyse the interconnections and dependencies
of information systems.
- Lesson 9: Focus on more critical services and prioritise your
activities.
- Lesson 10: Identify threats and vulnerabilities.
- Lesson 11: Assess the impact of service disruptions.
- Lesson 12: Assess the risks associated with the service and
information system.
- Lesson 13: Implement the necessary security measures.
- Lesson 14: Create a functioning organisation to protect CII.
- Lesson 15: Follow regulations to improve the cyber resilience of
critical infrastructure services.
- Lesson 16: Assess the security level of your information systems
yourself and ask external experts to assess them as well.
- Lesson 17: Scan networks yourself and ask external experts to scan
them as well to find the systems that shouldn't be connected to the
Internet but still are.
- Lesson 18: Prepare business continuity and disaster recovery plans
and test them at reasonable intervals.
- Lesson 19: Establish reliable relations and maintain them.
- Lesson 20: Share information and be a part of networks where
information is shared.
- Lesson 21: Train people to make sure they are aware of cyber threats
and know the correct behaviour.
- Lesson 22: If the CII protection system does not work as planned or
give the desired output, make improvements.
- Lesson 23: Be prepared to provide critical infrastructure services
without IT systems. If possible, reduce dependence on IT systems. If
possible, during a crisis, provide critical services at reduced
functionality and/or in reduced volumes.
Author
Toomas Viira is a highly motivated, experienced and results-orientated
cyber security risk manager and IT auditor. He has more than 20 years'
experience in the IT and cyber security sectors.