Tool
The GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection for Governmental Policy-Makers
About
Publication date: 2017
Actor
Type
Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. Nations at large critically depend on Critical Infrastructure (CI) services such as energy supply, telecommunications, financial systems, drinking water, and governmental services. Information and communication technologies(ICT)-based services are becoming increasingly important for the functioning of CI. Disruption of information infrastructure is capable of causing major impact to a nation. This leads to the concept of Critical Information Infrastructure (CII) which comprises both critical information and (tele)communication infrastructure and ICT and process control systems that are a critical part of the CI service provisioning.
The need for CIIP is becoming increasingly prominent. The risk to society due to insufficient protection and measures increases by the day. As information and communication infrastructures become globally interwoven, a nation’s CII may be a target for malware, hackers, hacktivists and adverse state operations. At the same time, the nation’s CII can become a means for attacking other nation’s CII. Via the threatened CII the proper and undisturbed functioning of the CI may be at risk and through that one’s society, economy, and daily life could also be at risk. Moreover, the global interconnectivity of CII means that a vulnerable CII may become the weakest link and thereby a risk to the CII of all other nations of the world.
A number of nations are on the path of Critical Infrastructure Protection (CIP) but have difficulties in progressing with CIIP. Other nations are at the very start of their combined CIP – CIIP journey. A set of nations already progressed on that path and may have experienced pitfalls and developed good practices. In order to raise the protection barriers and to progress on the CIIP path, the Meridian Process and the Global Forum on Cyber Expertise (GFCE) jointly took the initiative to develop this good practices guide on CIIP for national CI and CII policy-makers. Moreover, these good practices may be of use to nationally and internationally operating CI operators. This guide is intended to assist nations which are at the very start of their journey, but also nations whose journeys are underway. We realise that each nation has a different legal and regulatory structure, a different style of governance over CI and CII, a different adaptation level of information and communication technologies (ICT), a different culture, and so on. These good practices are not chiselled in stone. They are meant to inspire the reader. In the application of a good practice, there may be a need to tune the approach to fit each national need.