IHS Security Program Services (SPS) supports the Agency in an
effort to establish more secure facilities and by developing, managing and promoting security
policies, procedures, techniques, and services; and supports testing, evaluation and validation
of processes and systems. The Indian Health Service has a responsibility under Homeland
Security Presidential Directives (HSPD) to ensure that the Agency minimizes the negative
effects of security and infrastructure compromise. Specifically, HSPD 7 establishes a directive
that establishes a national policy for Federal departments and agencies to identify and
prioritize United States critical infrastructure and key resources and to protect them from
terrorist attacks.
SPS Program Objectives
- Ensure program management and implement standards to promote security.
- Maintain a strategy that creates awareness and compliance.
- Improve business processes to align security with Agency goals.
- Train staff in sound security practices.
Operations Security (OPSEC)
"Even minutiae should have a place in our collection, for things of a seemingly trifling
nature, when enjoined with others of a more serious cast, may lead to valuable conclusion."
George Washington
This quote from George Washington shows that operational security, otherwise known as OPSEC,
was important even in the early days of this country. Washington realized that when one gathers
information, even seemingly insignificant things may be the crucial pieces of the puzzle to put
together a clear picture of someone's operations. OPSEC is one of the critical aspects of the
IHS Security Program. Everyone is encouraged to guard sensitive information that may reveal our
operations to entities outside of the agency. Evacuation plans, continuity of operations plans
and emergency plans all have sensitive information that may have adverse consequences if revealed
to an "attacker" of the agency. We encourage everyone to guard this information and share it
only with people who have a need to know.
Everyone should also guard information such as pass words, access to facilities, files and
databases. Even things such as announcing that you are "going on vacation" may be an alert for
someone that could invade your home.
What can I do to help thwart any further attempts to harm the U.S.A.?
Practice OPSEC at work and at home. OPSEC is a five step process:
- Identification of the critical information to be protected. It is the information that is
critical to the success of your mission or objective.
- Analysis of the threats. If adversaries can obtain the critical information, they can use
it against you or your agency for their own benefit and represent a threat. You want to know who
your adversaries are, what information they need about you, and how they will collect it.
- Analysis of the vulnerabilities. Critical information that has been identified should be
protected. Look for detectable activities that you or your agency that can be interpreted or
pieced together by adversaries to derive critical information about you or your agency.
- Assessment of the risks. Risk is the measure of harm or adverse impact that vulnerability
or a combination of vulnerabilities may cause if exploited by an adversary.
- Application of the countermeasures. Once risk is determined, measures should be taken to
reduce risk. It is important to control all OPSEC indicators and not arbitrarily eliminate them.
We can all incorporate OPSEC into our everyday work routine. Practicing operations security will
help you accomplish your goals. When you do something, ask yourself, "What could an adversary glean
from the knowledge of this activity? Is it revealing information about what we do and how we do it?"
It is helpful to view yourself and what you're doing as an adversary would. For example, what can be
gained by observing your actions or reading what you place on a website?
For more information go to the following website for the Interagency OPSEC Support Staff:
http://www.ioss.gov/
Critical Infrastructure Protection (CIP)
The Presidential Decision Directive 63 makes every department and agency of the federal government
responsible for protecting its own critical infrastructure. This effort established to address
continuing government wide security concerns, establish policies and standards for security in and
protection of federal facilities and monitor agency compliance. Most of the agencies reported shared
security responsibilities between the agency and GSA. Types of security responsibilities include
performing security assessments, providing security funding, providing security forces and security
technology, and coordinating security efforts among and within agencies. In May 1998, Presidential
Decision Directive 63 was issued with the intent to eliminate any significant vulnerability to both
physical and cyber attacks on our critical infrastructure. Critical infrastructures are those physical
and cyber-based systems essential to the minimum operations of the economy and government. It makes
every department and agency of the federal government responsible for protecting its own critical
physical infrastructure. This would include the buildings that house critical cyber based systems.
The following is an excerpt from the Presidential Decision Directive NSC-63 which was signed in
May of 1988:
"Critical infrastructures are those physical and cyber-based systems essential to the minimum
operations of the economy and government. They include, but are not limited to, telecommunications,
energy, banking and finance, transportation, water systems and emergency services, both governmental
and private. Many of the nation's critical infrastructures have historically been physically and
logically separate systems that had little interdependence. As a result of advances in information
technology and the necessity of improved efficiency, however, these infrastructures have become
increasingly automated and interlinked. These same advances have created new vulnerabilities to
equipment failure, human error, weather and other natural causes, and physical and cyber attacks.
Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span
both the public and private sectors, and protect both domestic and international security.
Because of our military strength, future enemies, whether nations, groups or individuals, may seek
to harm us in non- traditional ways including attacks within the United States. Because our economy is
increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks
on our infrastructure and information systems may be capable of significantly harming both our military
power and our economy.
President's Intent
It has long been the policy of the United States to assure the continuity and viability of critical
infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate
any significant vulnerability to both physical and cyber attacks on our critical infrastructures,
including especially our cyber systems."
Because the Indian Health Service provides emergency services, including health services and assists
in providing and maintaining water systems throughout "Indian Country" we oversee a significant portion
of critical infrastructure throughout the United States. Therefore, CIP is an important role of the IHS
Security Program. The Security program works with federal and tribal programs to protect critical
infrastructure.
|