[Do you have an integrated physical and non-physical security training program for all employees? Is the training program customized to the needs and level of expertise of the different employees you train?]

[In most cases, physical and other forms of security are so different that integrating the training programs does not make sense! Most organizations cannot afford to have fully customized training, and provide common training for all workers.]

[Are all users of all systems identified and authenticated before being granted access? Is the authentication properly suited to the risk associated with teir access? Is the access granted to each person using each system limited to the functions they are supposed to use those systems for and the data they are permitted to use those functions on? How are the list of functions, data, persons, and authentication methods determined and associated so that access is properly restricted?]

[Almost no system allow this level of control and the cost of implementation would be far out of line with the risks in many cases! This is a poor risk management strategy. Most PCs, which comprise more than 90% of all information systems in use today, don't allow strong authentication before use, don't allow functions to be easily limited, don't protect data stored in or passing through or by them, and have no means for allowing such controls to be specified.]

[What are the critical operational control systems in your organization? How are they isolated from public and other internal systems and networks? If firewalls are used, how is their adequacy measured, determined, tested, verified, and how is this related to the overall risk management process of the organization?]

[Separation is, in many cases, against federal regulations which mandate that many of these systems be accessible from the Internet, it is antithical to modern best practices, and current firewall technology is not capable of providing a high level of assurance at a reasonable cost!]

[What threat profile do you face as an organization? What procedural or technical controls would be adequate to assure data integrity, detection of unauthorized change or deletion, and recovery against attack mechanisms within the capabilities of that threat profile? Are these controls in place for every bit of data in every system within the organization?]

[Since no system of controls can fully mitigate all risks of disruption, a risk management process must be used in order to make sensible decisions about information assurance! Most organizations haven't properly defined a threat profile, and still fewer have related this to controls.]

[Does each infrastructure component have the capability to authenticate and log the origin of all commands that could change its operating condition? Are these cababilities enabled? How is the audit information secured? How is forgery detected?]

[Most infrastructure components today can not authenticate or log the origin of commands! The cost of replacement would be astronomical, and current authentication technology is not designed to support this activity.]

[Do you have personnel trained to the level of national-level incident response teams? Do you have equipment suited to investigate all suspected intrusions? Can you safely isolate and recover damaged systems without major impact on the rest of your systems?]

[There are too few people available today with this level of expertise to staff teams for the current critical infrastructures! The cost and impact of CERT teams on critical infrastructure protection has not been analyzed from a risk management perspective and thus we do not really know whether this is a good idea or a waste of funds.]

[Is every component required for normal operations and customer service properly backed up? Does this include all network components, routers, switches, gateways, vioce mail systems, and other similar components? Are these backups tested regularly and do the tests fully demonstrate that an operational condition can be restored in a timely fashion? Is redundancy used to assure that hardware failures do not result in unacceptable downtime? Does the backup method include geographic redundancy to assure that local disasters cannot have overall effects? Are backups protected to the sam elevel of assurance as primary systems? Can backups of your systems be retrieved and restored in a timely fashion even if no other infrastructure element is available and operating? Has this been tested and demonstrated to be effective?]

[This should be standard business practice by now!]

[Do you know what the technical expertise of the NSA is? How do you tell who is appropriate to perform assessments of vulnerabilities of your information systems? How regularly are what subsets of your information systems assessed for vulnerabilities and how is this frequency determined?]

[The NSA is not competent to perform this function for all systems, the capabilities of the NSA are not known to the infrastructure providers, and the history of the government in relating effectively with industry is so poor that this proposal is unlikely to be widely accepted! This is not properly supported by a risk management process, so that the frequency of assessment is not known. Furthermore, the NSA has historically been reluctant to share any such information.]

While I believe that the PCCIP is well-meaning in their attempt to identify best practices in risk assessment, they seem to have missed the mark in this particular analysis. I suspect that no government agency today could pass an independent audit based on the specified criteria.

• Managing Network Security
• Auditor's Checklists (restricted)
• Protection and Security on the Information Superhighway (restricted)

Your comments are welcomed - email to fred at all.net