A new book from IT Governance covers how to protect your critical information infrastructure (CII). Lessons Learned: Critical Information Infrastructure Protection, by Estonian cyber security man Toomas Viira, is a paperback also available as an e-book, published on January 23.
This book comes with 23 lessons on cyber threats and the correct behaviour against them. Billions of people use the services of critical infrastructure providers, such as ambulances, hospitals, and electricity and transport networks. This number is only increasing, yet there appears to be little protection for many of these services. IT has allowed organisations to increase their efficiency to be competitive. However, do we even know or realise what happens when IT solutions are not working – when they simply don’t function at all or not in the way we expect? This book aims to teach the IT framework from within, allowing you to reduce dependence on IT systems and put in place the necessary processes and procedures to help protect your CII.
The book’s aimed at people who organise the protection of critical infrastructure, such as risk, IT and information security managers, business continuity managers and civil servants. Most of the principles and recommendations described are also valid in organisations that are not critical infrastructure service providers, the author adds.
Those 23 lessons:
1: Define critical infrastructure services.
2: Describe the critical infrastructure service and determine its service level.
3: Define the providers of critical infrastructure services.
4: Identify the critical activities, resources and responsible persons needed to provide the critical infrastructure service.
5: Analyse and identify the interdependencies of services and their reliance upon power supplies.
6: Visualise critical infrastructure data.
7: Identify important information systems and assess their importance.
8: Identify and analyse the interconnections and dependencies of information systems.
9: Focus on more critical services and prioritise your activities.
10: Identify threats and vulnerabilities.
11: Assess the impact of service disruptions.
12: Assess the risks associated with the service and information system.
13: Implement the necessary security measures.
14: Create a functioning organisation to protect CII.
15: Follow regulations to improve the cyber resilience of critical infrastructure services.
16: Assess the security level of your information systems yourself and ask external experts to assess them as well.
17: Scan networks yourself and ask external experts to scan them as well to find the systems that shouldn’t be connected to the Internet but still are.
18: Prepare business continuity and disaster recovery plans and test them at reasonable intervals.
19: Establish reliable relations and maintain them.
20: Share information and be a part of networks where information is shared.
21: Train people to make sure they are aware of cyber threats and know the correct behaviour.
22: If the CII protection system does not work as planned or give the desired output, make improvements.
23: Be prepared to provide critical infrastructure services without IT systems. If possible, reduce dependence on IT systems. If possible, during a crisis, provide critical services at reduced functionality and/or in reduced volumes.
