By Jeff Kabachinski
Cybersecurity continues to be the hot topic in the IT world especially in healthcare IT. It should be, as cybersecurity needs a constant vigil. There have been several processes and frameworks that have recently come forward to help in the vigilance. The latest of these is the presidential ordered homeland security National Cyber Incident Response Plan (NCIRP) to address cybersecurity risks to critical infrastructure. The plan defines how government, public, private and commercial IT groups can band together in the cybersecurity environment.
Main NCIRP Sections
The first portion of the plan covers the various roles and responsibilities of these groups. This includes the roles within the threat response area, the asset response area and the intelligence support area.
The next section seems to be where the core of the document and plan reside. Called Core Capabilities it covers the details regarding the areas mentioned above. In addition, there’s also an area called Cross-Cutting Core Capabilities. This area details things like IT forensics, intelligence and information sharing with operational communications and coordination and planning also with how to notify the public with information and warning plus cybersecurity screening, and detection – whew it sure looks like they have it covered. The other thing to consider is that the plan doc states is a living document to maintain vigilance and adjust to changes in the cybersecurity environment.
The Threat Response Core Capabilities include interdiction, disruption, and identifying threats and hazards. The Asset Response Core Capabilities contain access control and identity verification, infrastructure systems, logistics and supply chain management and situational assessment
The Coordinating Structures and Integration section is next and covers the processes for the players in the various sectors also including operational coordination during a significant cyber incident and evaluating the incident severity.
The last main section is for cybersecurity response operational planning.
The Annexes
But wait there’s more! The plan has a number of annexes to further detail cybersecurity incident severity levels, and how and what to report to the various federal government centers. There is also an annex to define the types of cybersecurity attack vectors. The last couple of annexes I wanted to mention are for developing an internal cyber incident response plan and outlining the technical capabilities needed. The technical capabilities list looks quite complete including host system forensic analysis, network and packet analysis, and malicious code analysis.
My suggestion is once you’ve scanned the table of contents, zero in on the aspects you want to learn more about or bone up on.
Again the main idea is to set the scene, provide guidance and methods for a whole community partnership approach for easing, responding to and recovering from cybersecurity incidents.
Quoting directly from the plan:
“Cyber incident response is an important component of information and communications technology (ICT) and operational technology programs and systems. Performing incident response effectively is a complex undertaking and requires substantial planning and resources to establish a successful incident response capability.
This Plan should serve as the basis for national cyber operational playbooks and individual critical infrastructure sector operational coordination plans, as well as at the individual entity level. In all cases, incident response activities will be conducted in accordance with applicable law and policy.”