The cornerstone of our efforts to combat IW will be the efforts of all organizations to protect their own systems and information. Some organizations have been worrying about this for a long time and have developed and implemented plans to keep on top of this increasingly serious set of threats. Other organizations have more work to do.
It might be helpful, even for those organizations that feel they are well prepared, to review the following list of suggested actions to determine what they need to do to be better prepared for the future.
The first suggested action involves a review of the organization's mission in light of the emerging threat. A few organizations may find that IW-D adds a mission or increases the importance of an existing mission.
New relationships with external organizations may be required, or perhaps existing relationships may need to be modified. Thus, a review of these relationships is in order.
Who is responsible for IW-D in the organization? Perhaps the organization has a Chief Information Officer (CIO) and it would be appropriate for the CIO to take on this responsibility. Perhaps the responsibility for IW-D is spread out among several individuals. In any event, a clear allocation of responsibilities is required.
Not all information or all systems should be considered equal with respect to the protection they merit. It is important, given resource constraints, to identify which information and systems (and functions of these systems) are critical and which are not critical.
How vulnerable are the information and systems? What is the specific nature of the vulnerabilities? Answers are needed to provide a basis for planning and developing defenses. It needs to be remembered that vulnerabilities are relative to the threat, the nature of which is constantly evolving. Thus, vulnerability analyses are not a one-time task but must be part of a continuing effort.
Isolated actions to improve security are helpful, but they are no substitute for the development of a comprehensive IW-D strategy for an organization. Since it is not possible to avoid all the risks associated with IW, each organization needs to develop a plan to manage these risks. In the course of developing and articulating an organizational IW-D strategy and risk management plan, many issues will be raised and discussed. These discussions will create a greater awareness of the problem within the organization and improve the organization's ability to meet the challenges associated with IW-D.
Combatting IW is a long-term proposition. There are many long poles in the tent. An organization's investment strategies need to be reviewed and investments in defenses and supporting technologies must be made. Some reallocation of resources may be made necessary by changes in the operating costs associated with introducing new procedures and safeguards.