U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Practices for Securing Critical Information Assets

NCJ Number
Date Published
January 2000
98 pages
This document provides guidance to Federal agencies to develop a national plan for protecting the country’s critical infrastructure and to coordinate plan implementation efforts.
The Critical Infrastructure Assurance Office (CIAO) was established to assure the security of the infrastructure of the United States, especially the cyber-based infrastructure. The first step in determining what information systems, data, and associated assets constitute the critical information is to draw up an inventory of all candidate assets. Performing a vulnerability audit involves finding and documenting the vulnerabilities in critical information assets. Critical asset elements include personnel, automated information and control systems, non-automated information and control systems, data, and facilities and equipment. Each agency should then apply risk management analysis to the entire list of vulnerabilities associated with their critical assets and infrastructure dependencies. Sound practices for securing facilities and equipment include making sure secure rooms have no more than two doors, relatively small windows, and good key control. To protect data and software against nonphysical threats, a business should include virus protection, firewalls, sound access control practices, and encryption. A computer security incident could include compromise of integrity, denial of service, misuse, damage, intrusions, and alterations. A computer security incident response capability (CSIRC) is a set of policies and procedures defining security incidents and governing the actions to be taken when they occur. 4 figures, glossary, and 5 appendices