Sun, 2007-01-07 17:15
So what are the top IT security priorities for government, whether federal, state, or local, in 2007?
First, a few quick caveats are needed. There are plenty of personalized priorities for each of us. We all have our own strategies and local plans. While everyone seems to be talking about common items like patching systems, mobile workers, identity management, and a protecting sensitive information accessed from mobile devices, we’re all at different places with our architectures and infrastructures. In Michigan, we’ll be releasing our new Strategic IT Security Plan for 2007-2010 later this month. I’ll provide a link to the executive summary of our plan when it comes out, so you can see more details and compare and contrast with your own approaches.
Second, as I talk with colleagues around the country, it’s very clear that we have the full spectrum from laggards to bleeding edge security groups, when in comes to adoption of the “new security stuff.” The RSA conference is coming around again, with a host of new promising black boxes. Which ones will make a difference? That’s another blog, but there’s always a few surprises out there.
Third (and finally), all emergencies are local, and we can never predict when the next cyber-Katrina will hit. Veteran CSOs know that all priorities and predictions can go by the wayside if something really bad happens (either locally or nationally). None of us want to be a bad headline, either.
So after all the formalities ….. What’s the answer? What’s the top (new) thing we should all be working on after we’ve answered all the above questions?
I vote for implementing the National Infrastructure Protection Plan (NIPP) - Sector Specific Plans, and especially the IT-Sector Specific Plan. I know that’s a mouth full and you may not even know what I’m talking about. For detailed information on what the NIPP is and downloading copies of the overall plan, you should go to the DHS website.
Reliable sources have told me that all of the NIPP sector plans will be released together as one package later this month or early next month at the latest. It should be a big deal, with plenty of press and a few senior level execs making appearances on the news-talk circuits. Without going into specifics, there will be actions items and direction for new security initiatives, and private sector and government entities should take note by sector. This will become our major roadmap for either the next three years or until a new administration changes direction - whichever comes first.
I know that some readers view these types of documents as largely unrelated to their “real” job. While progress has been made on the National Strategy to Secure Cyberspace, some articles were written saying that that plan was too watered down when it was published.
I’m aware of those criticisms. Still, I’ve spent a good chunk of time in 2006 working with public and private sector colleagues to help write the soon to be released IT Sector Plan for the NIPP. The private sector, via the IT Sector Coordinating Council or IT-SCC, has been very involved in this writing process, working in close collaboration with the IT- Government Coordinating Council (IT-GCC). Federal, State and local representation is also involved in the IT-GCC. My involvement has been as the National Association of CIOs (NASCIO's) primary rep to the IT-GCC.
I know I’m biased, but I do think this IT-sector plan will be important and “different.” I can’t go into details until it’s released, but at that time, I plan to provide (hopefully helpful) “NIPP-notes” on each important chapter. They’ll be kind of like “Cliff Notes” for those who relied on those handy booklets to get through high school and college.
There were many articles written on the NIPP in 2006, and you can even take a course from FEMA on the plan called IS-860. I mention all of this now, since I believe this will (and should) become a major focus and priority for 2007 and beyond. I recommend getting familiar with the overall NIPP now and be ready when the IT plan comes out soon.
