CISA Security Planning Workbook helps build foundational security plans to meet critical infrastructure needs

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published this week a Security Planning Workbook to support critical infrastructure asset owners and operators in their security planning endeavors. This resource is accessible to all members of an organization, irrespective of their level of security proficiency, and is intended for those entrusted with ensuring the safety and security of both facilities and personnel. The primary objective of this workbook is to consolidate vital information that can serve as a valuable resource in the creation of a comprehensive security plan.

The security agency said that the process of creating a security plan should not be rushed. “The information entered in the workbook can be saved; users should work at their own pace. While some sections and fields within this workbook may not apply to your unique site, every organization should develop and implement a comprehensive security approach to protect its people, property, visitors, and customers. The workbook is flexible and scalable to suit any type of business or organization.” 

Additionally, the workbook offers comprehensive descriptions of crucial security planning elements, a wealth of supportive resources, and interactive fillable fields to facilitate their endeavors. As users complete the information within this workbook, it is imperative to securely save and store the finished document, adhering to the organization’s prescribed information handling protocols.

The foundational security plan, characterized by its adaptability and scalability, caters to the diverse needs of most facilities. It has been thoughtfully designed to accommodate individuals engaged in an organization’s security planning, whether they possess varying levels of security expertise, and bear responsibility for the safety and protection of both facilities and individuals. In addition to elucidating key aspects of security planning, this resource serves as a valuable reference tool, empowering stakeholders with the guidance of interactive fillable fields.

The Security Planning Workbook calls for the formation of a planning team with a security coordinator, security planning team, and safety team. These players help establish clear roles, responsibilities, and expectations for those involved with the security planning team. “Your team could be composed of a designated Security Coordinator along with Security Planning Team members who will develop plans and implement the identified security practices,” it added. 

Also, smaller organizations with limited personnel and resources may have a single person responsible for developing the organization’s security plan(s). Organizations of all sizes can use the process and considerations offered in this workbook.

The CISA Security Planning Workbook calls for a risk assessment process that allows organizations to identify potential threats and hazards and analyze their impact. The process involves interviewing personnel and stakeholders, performing on-site inspections, and examining public records like local crime statistics. Risk assessments have an element of subjectivity as willingness to accept or interpret risk will differ for each organization. 

It outlines that organizations can identify risks by evaluating the combined threats/ hazards, vulnerabilities, and consequences. It recommends beginning with conducting an ‘as-is review’ of the enterprise to document information about the facility, property, personnel, staff, volunteers, contractors, community, valuable assets, and other information about the organization’s branding, reputation, and credibility. This includes facility identification and description; identification of elements of the outer, middle, and inner perimeter; and identification of additional security assets and their functions. 

The workbook also lays down an evaluation of significant areas and assets that require protection and their potential replacement costs; and a review of day-to-day operations, administrative procedures, cybersecurity safeguards, and physical security-related protocols. It also calls for evaluation of human resources practices, and consideration of the organization’s attitude toward security procedures. 

Subsequently, the document prescribed that the Security Planning Team or individual planner should document the threats (man-made) and hazards (natural) that the organization/business and surrounding community previously encountered or may encounter in the future. “Work with CISA PSAs (Protective Security Advisors) and CSAs (Cybersecurity Advisors), local law enforcement, your local emergency management agency, or other non-profits to obtain a relevant assessment detailing the potential threats and hazards to your organization,” it added.

Additionally, a vulnerability assessment must be performed to determine security countermeasures necessary to mitigate specific threats to personnel, facilities, and/or events. “Your findings can inform security decisions and help prioritize security actions by looking at feasibility, complexity, expected benefits, cost, and resource availability. Vulnerability assessments should collect data and information through interviews with key personnel and stakeholders, perform on-site inspections and observations, review relevant policies and procedures, and examine public records such as local crime statistics,” according to the Security Planning Workbook.

It added that the ‘most important aspect of a vulnerability assessment is documenting your process and findings so the data can help develop a security strategy. The assessment should be revised regularly.’

The culmination of the risk assessment process is a consolidation of the information collected. Organizations will now have a consolidated, prioritized list of risks they face and show how and where to boost investments to mitigate the consequences of an event. 

To guide the process of assessing an organization’s risk, the workbook provides various prompts to ensure that risk assessment identifies consequences associated with identified risks; considers the threats and hazards previously identified, and lists each type of threat or risk while every risk should be rated and ranked based on probability of occurrence and impact; and estimate the likelihood of a threat/hazard happening to the organization and weigh it against the estimated cost and impact if it were to occur.  

Now that organizational risk assessment is complete, it’s time for organizations to enhance their security posture and put in place strategies to mitigate the identified risk(s). “Decisions to accept and mitigate risk are unique to each organization and should be based on the organization’s goals, objectives, and available resources. Your goals and objectives are key to determining your priorities and the resources required to mitigate risk(s),” the Security Planning Workbook added.

“Mitigation considerations can include training and exercising, building, or enhancing situational awareness, investing in physical security measures, and strengthening relationships and partnerships,” according to the Security Planning Workbook. “The information identified during your security risk assessment and the information gathered during the planning process can inform your decisions to implement measures to mitigate risk, reduce or eliminate potential hazards, and protect your organization from potential existing or future threats.”

The workbook then addresses how creating and regularly practicing effective training and exercise programs builds proficiency and can help personnel understand what to expect in the event of an emergency. “Training and exercises are critical components of security plans. Training should be completed for each planned incident or emergency event, such as natural disasters, active assailant incidents, and cyber-attacks,” it added. 

Training activities may take several forms, ranging from online learning to conducting a tabletop or full-scale exercise. These include online-based learning that should be integrated as part of the employee onboarding process and be completed at least annually. Also, exercises that help prepare for physical security incidents, such as active assailant training, should be conducted at least annually.

The Security Planning Workbook said that organizations must be ready to respond promptly, accurately, and confidently during an emergency in the hours and days that follow, as they will need to reach many different audiences with information specific to their interests and needs. “Emergency incidents can develop quickly, and effective communication with victims, staff and their families, customers, emergency responders, press, and other members of the community is essential to manage the situation. Security plans should account for communications both within (internal) and outside (external) the organization, as appropriate.” 

The document also addressed recovery which requires focused preparation and planning to meet the recovery needs of those impacted by an event. “This preparation and planning sets the foundation for successful recovery. Each EAP should address short-term and long-term recovery efforts and they should be tailored to the incident,” it added. 

“The goals in short-term recovery are to re-establish safety and mitigate the physical, psychological, and emotional impacts from the incident,” according to the CISA Security Planning Workbook. “Long-term recovery goals should help those impacted resume operations and return to a sense of normality in their daily interactions and professional life. The aim is to address both the immediate care of impacted personnel and return to full operations.”

Having compiled the key elements necessary for developing a security plan, critical infrastructure asset owners and operators are ready to write their plan, draft it, review it, obtain approval from organizational leadership, and finally publish the security plan. “Once your security plan has been drafted, re-confirm the plan supports your organization’s goals and objectives which have been identified earlier in the planning process. Consider having key members of your organization review the draft plan to ensure the plan is adequate, feasible, acceptable, and complete,” it added. 

With the plan now validated, the planning team or primary planner should proceed to present it to senior officials for approval. Once the plan has received their approval, it should be distributed to relevant members within the organization. They must also consider convening an organizational meeting where members can seek clarifications or pose questions to ensure that the plan is well-understood and acknowledged.

After the plan has been approved and disseminated, organizations should focus on training their personnel to equip them with the necessary knowledge, proficiency in required skills, and the capability to execute the tasks outlined in the plan. The training can be conducted through various channels, such as new employee orientation, ‘All Hands’ meetings, conferences, workshops, newsletters, internal broadcasts, and online courses.

Planning teams or an organization’s primary planner should establish a process to review and revise the plan regularly, the Security Planning Workbook said. Plans should be reviewed and updated after a major incident, changes in organizational resources;  formal updates of planning guidance, policies, management processes, or standards; and changes to the threat environment. It must also be reviewed following significant improvements to organizations’ security and safety elements, and incorporating feedback from exercise after action reviews.

In September 2021, the U.S. administration made available an ‘Insider Risk Self-Assessment’ tool for critical infrastructure and organizations that keep infrastructure operational. In addition, it released a cybersecurity information sheet that covers the selection and hardening of standards-based remote access VPN solutions to help secure the Department of Defense (DoD), national security systems, and the Defense Industrial Base (DIB).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.