PDD 63 (President's Decision Directive)

There are several key areas where laws, regulations, and directives have been enacted requiring industries to preserve their assets for the protection of their investors, benefactors, or place in the National Critical Infrastructure. In May 1998, the President of the United States through PDD 63 required that specific measures were taken to protect the National Critical Infrastructure:

The President's policy … [s]ets a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003, and significantly increase[s] security to government systems by the year 2000, by … [i]mmediately establishing a national center to warn of and respond to attacks. Ensuring the capability to protect critical infrastructures from intentional acts by 2003, PDD 63 addresses the cyber and physical infrastructure vulnerabilities of the Federal government by requiring each department and agency to work to reduce its exposure to new threats. It requires the Federal government to serve as a model to the rest of the country for how infrastructure protection is to be attained. It seeks the voluntary participation of private industry to meet common goals for protecting our critical systems through public-private partnerships. It protects privacy rights and seeks to utilize market forces. It is meant to strengthen and protect the nation's economic power, not to stifle it. Seeks full participation and input from the Congress.

Critical Incidents: Damaging Critical Assets

Critical incidents are adverse events negatively affecting the ability to continue profitable operations. Critical incidents are defined in terms of risk, where risk is the probability of harmful events happening. Critical assets are those assets absolutely required for the organization to continue profitably, and profitability is the achievement of the organization's goals.

Critical Asset Priority

Critical assets are essentially divided into three supporting pillars listed in rank order:

- Human resources

- Data

- Physical facilities

Addressing risks is very similar to knowing your adversary: know the risks, accept the risks, mitigate the risks, transfer the risks, and avoid the risks. It is important to know which events can have a detrimental effect on your organization's assets. Harmful events are best understood when they are quantified in the form of a schedule showing the relationships between assets, threats and their frequency, vulnerabilities, and cost-effective safeguards.

By accepting risks, you are not denying their probability or their impact; rather, you have decided to take measures to protect your assets. By addressing risks, you are committed to implementing cost-effective, asset-protecting safeguards. The most desirable asset safeguard is one that avoids risk altogether, so the asset never suffers diminishment. A subset of risk avoidance is one where the negative impact of the harmful event is postponed, hopefully forever.

The process of transferring risks can also be addressed by implementing safeguards protecting specific assets. An example of a "transferring risk" safeguard is the outsourcing of employee payroll and benefits processing. By passing this responsibility to someone else, accompanied by specific contractual performance requirements, the risk is passed from the original enterprise to the processor. In the event of a critical incident, the asset, risks, and attendant expense are transferred elsewhere.

Mitigating risks is the process by which their probability of happening is reduced. The subset of mitigating risks is reducing their harmful effects on assets. This mitigation process can be highly complex, involving sophisticated strategies, or it can be as simple as instituting a company-wide policy.

In considering risks, the value of a proactive program is not necessarily determined by its complexity and expense. Never underestimate the value of a simple, well-written policy. An example of a simple policy is employee Internet use. Employees, as a condition of their employment, agree that Internet use is permitted only as part of their official duties. Policies, read and acknowledged by each employee, prohibit personal Internet use.

Experience note: An example of a critical incident that can seriously damage business operations is a senior employee, Bob, who gets a little bored after lunch and begins to surf the Internet from his workstation. He is aware of the business-only policy, but chooses to ignore it. Because most of the office is an open bullpen, privacy in his workplace does not exist. After checking his Internet e-mail, he does some online shopping, and because none of his co-workers are looking, he takes a peek at some soft pornography Web sites. He begins to lose track of time and surfs to some sites that are more offensive. While Bob is clicking through some pop-ups, Doris, the office manager, enters his work area. Seeing the Web sites Bob is viewing, Doris remarks that they are very offensive. She reports her experience to her supervisor and visits the local EEO office. This is the third time she has seen Bob browsing pornography at his workstation, and she has reported the matter to her company's management each time. But this is her last straw; she has had enough. Bob has been warned about his pornography browsing but because his technical skills are not easily replaced, his activities have not resulted in adverse personnel action. After exhausting her administrative remedies without resolution, Doris files a civil suit, naming her employer and Bob as defendants. Because the court filings are public, there is significant news coverage and the organization's good image is irreparably tarnished. A large monetary settlement is made and Bob is fired.

One information manager stated, "There is a generally accepted statistic that places risk at an acceptable level: 1 percent. This is a risk. That's all the motivation I need; expect the best, but plan for the worst."

Popular Posts