DHS approves IT sector protection plan

Find opportunities — and win them.

DHS this week gave final approvals to the IT industry's approach to protecting the Internet and other national IT-related infrastructures by focusing on critical functions.

The IT sector plan provides an overview of existing risk management approaches and suggests a framework for threat and vulnerability analysis as well as consequence evaluation and mitigation to ensure that such functions can continue to be provided. It proposes to establish a Protective Program Working Group to determine needs and capabilities, identify protective actions and develop an implementation plan.Members of the IT industry community are being actively recruited to carry out initiatives in the plan, including situational awareness, incident response and information sharing. The industry representatives will continue to work with government representatives."Now that the government is officially releasing all the critical sectors' Sector Specific Plans, we look forward to extending this successful partnership approach to implementation of the Sector Specific Plan, exercise planning and conduct, and other important areas of planning and operational collaboration," said Guy Copeland, chair of the IT Sector Coordinating Council and vice president, Computer Sciences Corp.DHS officials said they would release the sector plans on a need-to-know basis to members of each sector. However, Tiffany Jones, a spokeswoman for the IT Sector Coordinating Council and the IT Information Sharing and Analysis Center, said the sector plan will be made available to the public online.The work on infrastructure protection is ongoing. "The formalization of the SSPs represents a significant milestone in implementation of effective risk reduction strategies," said a DHS news release. "As we continue down that path, DHS and its partners will use the systematic Sector Protection Plans framework as the basis for ongoing efforts. Sector-Specific Agencies will continue to engage with their Government Coordinating Councils and Sector Coordinating Councils to implement the Sector Specific Plans."

After months of discussion, the Homeland Security Department this week gave final approvals to the information technology industry's approach to protecting the Internet and other national IT-related infrastructures by focusing on critical functions rather than on physical assets like facilities and buildings.

The sector approach is outlined in the 108-page Information Technology Sector Specific Plan to be released today as part of the National Infrastructure Protection Plan. The sector plan outlines initiatives to prevent and mitigate attacks on key national IT functions through risk management, situational awareness and response, recovery and restitution activities.

The IT Sector Coordinating Council, a group of IT industry representatives working in collaboration with DHS, developed the plan over a number of months. It is one of 17 national councils developing sector plans for energy, food, water, financial services and other critical infrastructure sectors. The plans were submitted to DHS in December 2006, and were officially approved by the department on May 21.

One of the IT group's main challenges was in agreeing on a framework to define critical assets, which is a criterion given for all the sectors. The IT sector council suggested that IT assets are virtual and proposed to define critical functions instead.

"Given the IT Sector's complexity, global nature and unique character, the most viable way to proceed is with a qualitative, top-down approach that considers sector security goals and objectives, and then identifies critical IT sector functions," the IT sector plan states.

The IT sector critical functions identified in the plan are:

  • IT products and services
  • Incident management capabilities
  • Domain name resolution services
  • Identity management and associated trust support services
  • Internet-based content, information and communications services
  • Internet routing, access and connection services