Your SlideShare is downloading. ×
Incident managment use of disaster mitigation in the critical infrastructure domain
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Incident managment use of disaster mitigation in the critical infrastructure domain

389

Published on

On April 29, 2004, the American National Standards Institute (ANSI) recommended to the 9/11 Commission that NFPA 1600 be established as the national preparedness standard. On July 22, 2004, the 9/11 …

On April 29, 2004, the American National Standards Institute (ANSI) recommended to the 9/11 Commission that NFPA 1600 be established as the national preparedness standard. On July 22, 2004, the 9/11 Commission formally endorsed NFPA 1600 and urged that compliance with NFPA 1600 be taken into account by the insurance and credit rating industries in assessing a company’s insurance rating and creditworthiness. The 9/11 Commission also believes “compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes.”
NFPA 1600 establishes a shared set of norms for disaster management, emergency management, and business continuity programs. It also recognizes ways to exercise plans and makes available a listing of resource organizations within the fields of disaster recovery, emergency management and business continuity planning. One vital aspect of NFPA 1600 is its requirement that all emergency management and business continuity programs must comply with all relevant laws, policies and industry practice.
Incorporating NFPA 1600 Through EMAP

Published in: Technology, Business
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
389
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 Waiting for the cyber-hurricane safe harbor: incident management standards adrift ? Part five of a series July 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP (non-attorney who is not providing legal advice) ABSTRACT Use of best practices for incident management may help in litigation mitigation. Background In March 2002 two Fayetteville, NY firefighters, died when a floor collapsed at a house fire. A widow filed suit against the property owner, Onondaga County, and the fire departments involved for mismanaging the incident, and allowing unsafe operations that caused the death. Pursuant to NY General Municipal Law § 205-a a court deemed there was a failure to properly implement the tenants of the National Incident Management System (NIMS) and the Incident Command System (ICS) resulting in a costly settlement for the widow. The case has reminded fire departments across the nation that best practices, and failure to follow them, can result in painful outcomes. *** The cybersecurity national floor A Cybersecurity Framework (CSF) has been proposed by the White House via Executive Order 13636; which, amongst other things, tasks the U.S. National Institute on Standards and Technology (NIST) to develop a consensus-driven policy framework designed for voluntary compliance by industry. The focus is to help secure the Critical Infrastructure and Key Resources (CI/KR) maintained by private owner-operators and define risk management metrics (an estimated 80% of CI/KR is operated by private entities)1 . Simultaneously with CSF development, CI/KR industry thought leaders are promoting a Cyber Safety Act; legislation that would provide safe harbors or other limitations on cyber- security liability, contingent on reasonable efforts to conform to best practices. 1 National Infrastructure Protection Plan, Energy Sector, U.S. Department of Homeland Security (2005)
  • 2. 2 CSF may ultimately become the baseline to provide for these “best practices”, or the “national floor" for CI/KR cybersecurity2 incident immunity. As the Integrated Task Force (ITF) for Presidential Policy Directive 21 (PPD- 21) has opined regarding the proposed Cyber Safety Act: “..Liability would be capped at the amount of cyber insurance acquired. Additionally, this incentive would provide marketing and insurance benefits to corporations, improving the business case for making cybersecurity investments…3 ” These initiatives have been proposed to create an incentive environment in the hopes that CI/KR private operators can be incentivized to implement voluntary frameworks; like the EO 13636 CSF. How much cybersecurity is enough? For nearly fifty years the landmark legal precedent in establishing technology disaster liability has been United States vs. Carroll Towing Company4 . In the Carroll Towing incident a tug boat towed a barge into a nasty storm at sea. When the barge was lost at sea the 2 “,,,HIPAA's privacy and security rules establish a national floor for confidentiality, covered entities have been left to develop their own internal enforcement..”. AHIMA. "Sanction Guidelines for Privacy and Security Violations." Journal of AHIMA 82, no.10 (October 2011): 66-71 3 Integrated Task Force, Critical Infrastructure Security and Resilience, U.S. Department of Homeland Security. 4 United States v Carroll Towing Co., 159 E2d 169, 173-74 (2d Cir. 1947). private tug boat operator was sued. Inquiries were made as to why the tug boat was not equipped with new weather radios (this was 1947). The operator claimed that this new technology was costly. However, the presiding judge created an algebraic equation to determine the amount of money that should be expended on technology safeguards to mitigate loss and injury (known as the Hand Rule). Restated: “…if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL…” Meaning if estimated business injury is $12 million, and there is a 10 percent chance of such disaster, it may be prudent to invest $1.2 million to mitigate such an outcome. During any post-incident legal analysis and litigation the Hand Rule will most certainly be applied by litigators to measure the adequacy of an organization’s pre-incident planning and management of the incident. Establish a national floor for incident management Meanwhile, private CI/KR operators complain that cyber threats are over- hyped in a threat-driven environment and that millions have already been invested in “check the box” mandatory
  • 3. 3 compliance standards (that usually address static infrastructure). In contrast, investing in dynamic incident management capabilities may provide a flexible tool to mitigate evolving disaster. For instance, in July 2004, the 9/11 Commission formally endorsed National Fire Protection Association (NFPA) Standard 16005 for use in emergency incident management and urged that compliance with NFPA 1600 be taken into account by the insurance and credit rating industries in assessing a company’s insurance rating and creditworthiness. The 9/11 Commission also suggested: “..compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes….”6 Thus, there is a need for CI/KR private operators to examine NFPA 1600 incident management principles in the context of a Carroll Towing type of investment (as opposed to static cyber security appliances). Restated, purchasing weather radios without the necessary radio operator training to tune the radio and locate the necessary weather report. Incident management (unlike static controls) is a dynamic and evolving response to the consequences of a 5 NFPA 1600®: Standard on Disaster-Emergency Management and Business Continuity Programs, 2013 Edition 6 The 9/11 Commission Report 398 (2004). severe incident. This includes man made cyber incidents that have downstream and cascading effects on CI/KR. NFPA 1600 recognizes this and incorporates the principles of the National Incident Management System (NIMS). “The NIMS approach fosters coordination and cooperation (interoperability) between public and private entities in a variety of domestic incident management activities regardless of cause, size, or complexity…7 ” In sum, serious consideration should be given by CSF planners to incorporate a NFPA 1600 and/or NIMS response capability in the EO 13636 CSF. This would promote the holistic integration of incident response and management with the cyber security community. *** About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A graduate of the National Fire Academy (NFA) Incident Management Team (IMT) course, he is a practitioner of NFPA1600/NIMS in his role of assisting private organizations in institutionalizing NFPA1600/NIMS into their organizational severe incident response plans and training. 7 NIMS, Dec. 2008, U..S. Department of Homeland Security

×