Infrastructure Protection: Plans and Strategies

Posted on by Robert Moskowitz

Modern organizations run on information, and information runs on infrastructure. Protecting that information infrastructure is vital to the organization’s health.

Accomplishing effective infrastructure protection requires a broadly coordinated approach. This approach establishes priorities, sets operational goals, and details both human and technological requirements for reducing vulnerability, deterring threats, and minimizing the consequences of any infrastructure damage that does occur. The primary goals nearly always involve building a safer, more secure, and more resilient data system so the organization can better resist events which may otherwise destroy or incapacitate its ability to function.

The first key step in any infrastructure protection effort is to clearly define participants' authorities, roles, and obligations. From top echelons of leadership to front-line specialists, it's critical for everyone to know and understand how they contribute to the overall infrastructure protection program, and how what they do fits with others within the program.

This clarity makes it easier for everyone to recognize what they are expected to do, when they are expected to do it, and where they may rely on others.

In order to focus infrastructure protection efforts and minimize wasted time and money, it's essential for infrastructure protection experts to understand and manage the risks against which they need to be protected. Various methodologies have been developed to assess risks, and one of the most common is to assess risk in terms of three central aspects:

  1. The likelihood of the risk. A good way to estimate this is to analyze the strength of the source, such as a potential attacker's intent and capability, or the probability of a natural occurrence of the unwanted event.
  2. The weakness of the infrastructure to the risk. Here, it's important to consider the infrastructure's inherent design, location, security features, processes, and operational parameters for clues as to how susceptible it may be to damage by the risks identified in item 1, above.
  3. The consequences flowing from the occurrence of the particular risk. Here you must consider the full range of negative effects that can follow once the organization's infrastructure is compromised by each of the risks under assessment.

The above calculations should be applied both to the general threat environment and to any specific threats that infrastructure protection program participants have reason to anticipate. These risk assessment values are difficult to predict with certainty, of course. But even when crude, they provide a logical basis for understanding where to focus limited infrastructure protection resources and efforts.

With the most likely risks identified and assessed, it becomes possible to identify the infrastructure assets that each risk threatens, and then to determine both the priorities and the appropriate protective actions for each of these assets.

Prioritization involves analyzing the risk assessment results to develop a comprehensive picture of the total risk facing the organization's infrastructure, and where the greatest potential for negative consequences may lie. Leaders can then determine which infrastructure assets, systems, and functions require the greatest protection efforts, and how best to allocate available resources. Protective actions can then be developed and deployed to prevent, deter, and mitigate various threats, to reduce the infrastructure's weaknesses to particular risks, and to minimize any consequences that might negatively impact the organization.

By following these steps and taking a broad, comprehensive approach, businesses will be closer to protecting their vital information infrastructure.

Robert Moskowitz

, New Mobility Partnerships

critical infrastructure

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community