1 / 17

Standard Operating Procedures for Treatment of Critical Infrastructure Information

This document explains the importance of treating critical infrastructure information (CII) with care, outlines the problem of public access to sensitive information, and provides methods and procedures for handling and distributing CII. It is crucial to have an SOP in place to comply with the law and protect public safety. Contact Roger Koelpin for any questions.

mathena
Download Presentation

Standard Operating Procedures for Treatment of Critical Infrastructure Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Standard Operating Procedures for Treatment of Critical Infrastructure Information Roger Koelpin GIS \ Critical Infrastructure Planning and Assessment Branch rkoelpin@dhs.in.gov 317-232-0181

  2. Standard Operating Procedures for Treatment of Critical Infrastructure Information • What is Critical Infrastructure? • The Problem • Why do we need an SOP for CII? • Methods • IDHS SOP

  3. What is Critical Infrastructure? • Think risk management • R = fn ( C, V, T ) • Many definitions. All different, all good. • Various thresholds for criticality. • Things change in criticality depending on situation. Bottom line, if you can’t do your “business” without it, it is critical.

  4. The Problem • We have a need to withhold some information about critical infrastructure. • Because we promised. • Because it is “risky” to publish. Members of the general public have a reasonable expectation of…

  5. The Problem …knowing that Company XYZ has an office located there. (Geography?) Members of the general public DO NOT have a reasonable expectation of knowing that the 3rd switch on the left, room 911, building 666, will turn off the sun, forever. (Capabilities, capacity..?) Not always a set of binary options.

  6. Why do we need an SOP? Indiana Access to Public Records Act • IC 5-14-3 • It is the law. • Bad things happen when you don’t follow the law. • Worse things happen if we promise to keep secrets and don’t. • Very real need to continue getting information from private sector!

  7. Why do we need an SOP? Indiana Access to Public Records Act – exceptions • IC 5-14-3-4(b)(19) • …reasonable likelihood of threatening public • safety by exposing a vulnerability to terrorist • attack.

  8. Why do we need an SOP? Indiana Access to Public Records Act – exceptions • Can successfully withhold if (IC 5-14-3-8.5) •   prove that the records are exempted records, and • denial of access is NOT arbitrary or capricious.

  9. Methods Prove that the records are exempted • Define “Critical Infrastructure Information” and • Beyond “a member of the general public has a reasonable expectation…”

  10. Methods Object oriented Policy Prove that the records are exempted • Define “Critical Infrastructure Information” • Created a retention schedule for IDHS, for CII through Indiana Public Access Commission • Retention schedule is “shred CII when obsolete.” • CII defined as anything under IC 5-14-3-4(b)

  11. Methods Denial of access is NOT arbitrary or capricious • Have an SOP for treatment of CII • Train and exercise staff on the SOP • Apply SOP consistently •   Part of the SOP establishes a process for assuring that members of the general public DO NOT have a reasonable expectation… • Covers those “non-binary” cases

  12. IDHS SOP Retention and Safeguarding Types of CII Records Distribution

  13. IDHS SOP Retention and Safeguarding • Retention • Safeguarding • Includes attachment for best practices • Labeling • Training • Updates

  14. IDHS SOP Types of CII Records • Submitted to IDHS as CII by public sector • Submitted to IDHS as CII by private sector • Generated by IDHS • With an attachment for identification of records where members of the general public DO NOT have a reasonable expectation of… • Includes allowances for redaction

  15. IDHS SOP Distribution • General public – not allowed • Response partners • Public sector with SOPs for CII • Public sector without SOPs for CII • Private sector partners

  16. Standard Operating Procedures for Treatment of Critical Infrastructure Information • What is Critical Infrastructure? • The Problem • Why do we need an SOP for CII? • Methods • IDHS SOP

  17. Standard Operating Procedures for Treatment of Critical Infrastructure Information Questions? Roger Koelpin GIS \ Critical Infrastructure Section Chief Planning and Assessment Branch rkoelpin@dhs.in.gov 317-232-0181

More Related