Earthquake Risk Transfer for Information Technology
The Information Technology (IT) Sector provides products and services that support the efficient operation of today’s global information-based society. These products and services are integral to the operations and services provided by other critical infrastructure Sectors. While IT Sector operations, products, services, and functions enhance efficiency and effectiveness and increase the resilience of the Sector, they face numerous multifaceted global threats from natural and manmade events on a daily basis. Many of these events occur frequently but do not have significant consequences because of individual entities’ existing security and response capabilities.
The purpose of the IT Sector-Specific Plan is to guide and align the Sector’s efforts to secure and strengthen the resilience of critical infrastructure and describe how the IT Sector contributes to national critical infrastructure security and resilience. This Sector-Specific Plan represents a collaborative effort among State, local, tribal, and territorial governments; non-governmental organizations; Federal departments and agencies; and private industry to establish common goals to reduce critical infrastructure risk. It also reflects the maturation of the IT Sector partnership and the progress made by the Sector to address the evolving risk, operating, and policy environments.
The IT Sector provides products and services that support the efficient operation of today’s global information-based society and are integral to the operations and services provided by other critical infrastructure Sectors. The IT Sector is comprised of small and medium businesses, as well as large multinational companies. Unlike many critical infrastructure Sectors composed of finite and easily identifiable physical assets, the IT Sector is a functions-based Sector that comprises not only physical assets but also virtual systems and networks that enable key capabilities and services in both the public and private sectors.
The IT Sector functions encompass the full set of processes involved in creating IT products and services, including Research and Development (R&D), manufacturing, distribution, upgrades, and maintenance. They also support the Sector’s ability to produce and provide high-assurance products, services, and practices that are resilient to threats and can be rapidly recovered. Assurance is essential to achieving the Sector’s vision and is therefore a fundamental aspect of all critical functions. The functions are not limited by geographic or political boundaries, further defining its virtual and distributed nature. This distribution highlights the increasing need for international collaboration and coordination for risk assessment activities, effective security practices, and protective program design and implementation. Additionally, the critical functions may be developed and maintained by small, medium, or large companies with varied resources and capabilities highlighting the need for risk management strategies and protective programs that map and scale to a wide range of needs.
The IT Sector’s physical infrastructure risks primarily encompass those that threaten public health or safety, undermine public confidence, have a negative effect on the national economy, or diminish the security posture. Physical infrastructure risks also include natural disasters, such as earthquakes, floods, and hurricanes. When analyzing physical vulnerabilities, the sector’s approach will assess the likelihood of a physical vulnerability for people, processes, or technology to exploit a resource.
IT Sector Critical Functions
Six critical functions support the Sector’s ability to provide high assurance IT products and services for various Sectors. These functions are required to maintain or reconstitute networks (e.g., the Internet, local networks, and wide area networks) and their associated services. The functions reflect the consensuses on critical functions derived from the 2009 IT Sector Baseline Risk Assessment, which are vital to the economic security and public health, safety, and confidence.
These functions are distributed across a broad network of infrastructure, managed proactively, and therefore, can withstand and rapidly recover from most threats.
These critical IT Sector functions are provided by a combination of entities—often owners and operators and their respective associations—who provide IT hardware, software, systems, and services. IT services include development, integration, operations, communications, testing, and security.
- Provide IT Products and Services
- Provide Incident Management Capabilities
- Provide Domain Name Resolution Services
- Provide Identity Management and Associated Trust Support Services
- Provide Internet-based Content, Information and Communication Services
- Provide Internet Routing, Access, and Connection Services