GFCE Global Good Practices: Critical Information Infrastructure Protection (CIIP)

The unprecedented uptake of ICT worldwide leads to a growing dependency of economic sectors, public institutions and societies as a whole. Multiple recent outbreaks of hostage-taking software
(ransomware) have shown the criticality of ICT for sectors such as transport and healthcare. Attention for the security and continuity of critical ICT is crucial to the well-being of modern societies.

Some elements of ICT have become critical for national security. These elements form the Critical Information Infrastructure (CII) of a nation. Protection of CII (CIIP) has obtained worldwide attention which has, for example, resulted in a OECD high-level policy framework (2008) containing recommendations on the Protection of Critical Information Infrastructure.

This Global Good Practice document on CIIP builds forth on these efforts by providing policy-makers and political leaders with essential but concise knowledge. This knowledge helps policy-makers in defining sustainable and efficient efforts to protect national Critical Information Infrastructure (CII). The benefits and risk of the gradual and unstoppable uptake of Information and Communications Technologies (ICT) are experienced by all nations. Effective national policy on CIIP requires regular updates and alignment with international developments. This document provides a set of good practices to develop an effective national CIIP policy (from identification of CII, to development of CIIP and handling of the inevitable dynamics).

The process of establishing a CIIP policy and living up to it in the long term should preferably be performed on basis of evidences and experiences from others. Resources and guiding information
are often scarce. The good practices in this document are based on previous research, the GFCEMeridian CIIP meeting in Mexico (2016), literature and experience elicitation from interviews.