National Infrastructure Protection Plan and Risk Management Framework D’Juan L. Sanders Professor Rachelle Howard SEC 310 February 1, 2013 Protecting the Nations Critical Infrastructure The National Infrastructure Protection Plan’s risk management framework is a process structured to protect the Nation’s CIKR, DHS, and SSA’s assets, systems, networks, and functions by minimizing potential risks that may compromise integrity of these very important sectors. According to free dictionary. com (2013), a risk is any possibility of incurring misfortune or loss; hazard.
The framework of this risk management process consists of following a number of steps, in a strategic order, to best assure optimal security and protection. Though eliminating all risks isn’t possible, these steps are geared to constantly improve on addressing existing and developing risks that may affect all that embodies our nation’s critical infrastructure. To accomplish this task, NIPP has first set goals and objectives to be able to understand why they need to protect this information, who to protect against, and how we will protect the infrastructure.
NIPP enables DHS, SSA’s, and other partners to decide upon the best course of action to help minimize vulnerabilities within the infrastructure. They plan to organize to protect from physical, cyber, and human element aspects. The Feedback Loop Design The feedback loop consists of the continuous steps followed to protect from risks and then repeated in reverse order or loop to track progress and make improvements to protection and resiliency of CIKR. I feel as though this definitely strengthens the model because after the effectiveness is measured, you now know where you can improve.
Looping back through the model allows updates, corrections, and improvements to be addressed through the process which consistently maintains continuously enhanced protection. Figure 1-1 shows these steps in the construction of the model. Why Risk Management is Effective and Suitable for Protecting the Nations Critical Infrastructure A risk management protection approach is of upmost importance when it comes to protecting the nation’s critical infrastructure because it aids in the following according to the CRS Report for Congress (2004). * identify assets and identify which are most critical identify, characterize, and assess threats * assess the vulnerability of critical assets to specific threats * determine the risk (i. e. the expected consequences of specific types of attacks on specific assets) * identify ways to reduce those risks * prioritize risk reduction measures based on a strategy These risk management goals allow for personnel to point out the most critical assets by identifying them. Risk management gives personnel the opportunity to understand where their strengths and weaknesses are with vulnerability and the potential impact of consequence that exposure poses.
Last but not least, risk management aids in forming a strategy to maintain vulnerability at minimal levels. Identifying Assets, Systems, and Networks Identifying assets, systems, and networks must be the most important within in the RM framework because if you don’t know what to protect, how can you protect it? Assets left unprotected can be very detrimental because it can increase national vulnerability to a terrorist attack, natural disaster, or changes in technology. Therefore it is very important to protect any asset that needs protecting or containing anything essential to our nation’s security.
Without this identification, nothing within the model would be very effective, due to every other step being totally dependent upon that one step. Two Reasonably Possible Fixable Criticisms of NIPP Model Two fixable issues that I felt should be addressed is the issue of critical stamping overuse and getting oversight right. Because resources are awarded to certain areas within the infrastructure that are labeled critical, this of course effects what NIPP deems critical. I think that the decisions on what is labeled critical should be communicated more efficiently between the government and private sector.
A neutral governing body can also help determine what is truly “critical” without any type of incentive guiding that decision. According to Doctor Richard Weitz (2010), Addressing this challenge will require a shared effort between the private sector and the federal government, as well as hard choices, to disaggregate what is “critical” (essential for sustaining and supporting Americans’ daily lives) from what is “dangerous” (e. g. , chemical facilities) but not necessarily critical.
The next issue involves the many subcommittees that have oversight of Homeland Security which create a high number of decision making jurisdiction on critical infrastructure issues. It seems as because congress is not completely knowledgeable of these protection issues they become ineffective with passing certain policies. With the many subcommittees, the decisions for these policies become political. According to McNeil (2010), “Congress needs to develop an “in-house” way to examine risk and threats to the nation based on scientifically acceptable risk methodologies”.
I feel as though Congress definitely needs to limit the affect these many committees have on decision making and take the initiative to become more aware of the issues Homeland Security is facing to keep the nation secure. Conclusion In conclusion, I feel as though the NIPP risk management system is very effective. The fact that there is no true way of assuring 100% risk free security safety within the national infrastructure allows for many ways any plan, model, or strategy to improve. Until someone can develop an impossible 100% protection guarantee, there will always be critiques and criticisms.
References 1. dictionary. com (2013) 2. Weitz, R. Ph. D, (2010) article, How to Fix Homeland Security Critical Infrastructure Protection Plans: A guide for Congress. Retrieved from http://www. heritage. org/research/reports/2010/04/how-to-fix-homeland-security-critical-infrastructure-protection-plans-a-guide-for-congress. 3. CRS Report for Congress, (2004). Order Code RL32561, Risk Management and Critical Infrastructure Protection retrieved from http://www. au. af. mil/au/awc/awcgate/crs/rl32561. pdf
