and I, along with Dave Cullinane and Michael Ray of Washington Mutual Bank (WAMU), Kirk Bailey of the City of Seattle, Barb Padagas of Starbucks, Bruce Lobree of Costco, Ravila White of drugstore.com, and a few others, were co-founders of the Pacific CISO Forum, a peer roundtable of information security leaders in Seattle and beyond. Ernie was as involved as anyone there, and sometimes hosted our quarterly meetings at one of the port facilities.
Ernie was also involved in regional critical infrastructure disaster and attack simulation events. This is all to say that Ernie is a doer, and his community involvement is but one aspect of his professional testimony as a man who cares about his community and the people who live in it.
From then until now, Ernie has held a variety of positions in critical infrastructure protection, and this has taken him around the world where his services were needed. He has become one of the world’s premier experts on the topic. For him to write this book is a gracious and generous gift to the profession as a whole. This book is a treasure for the profession and will serve to advance the state of the art of critical infrastructure protection and the professional growth of hundreds or even thousands of others in the profession.
This book is a well-organized, step-by-step, how-to treatise on risk assessment and risk management for critical infrastructure. This book is a high-quality, high-density, low-noise reference to help any professional excel at big-picture or detail-oriented risk management and risk assessment work. It explains the concepts of risk, risk assessment, and the steps for performing a proper risk assessment found in few other texts. I especially appreciate the chapter on observation that instructs the reader how to perform various types of evidence gathering and the value of tech technique. While this book is highly detailed, each chapter contains numerous references where the reader can go for even more in-depth information on each chapter’s topics. The book’s appendix contains a detailed, lengthy sample risk assessment report that puts many of the topics in the book to use.
In my experience as an executive consultant and having served dozens of companies and agencies over the past six years, I can confidently say that half or more of all organizations practice little or no risk management at all.
As the need for risk management becomes more apparent in organizations, this book should be in the library of every risk manager as well as every consultant performing risk assessments of critical infrastructure facilities -not on the shelf, but on the desk as a regular desk reference.
Peter Gregory
CISM, CISA, CIPM, CRISC, CISSP, CCSK, CCISO, QSA
Seattle, Washington
Table of Contents
WHAT YOUR COLLEAGUES ARE SAYING ABOUT CRITICAL INFRASTRUCTURE RISK ASSESSMENT
DEDICATION AND ACKNOWLEDGEMENTS
The Genesis
In this chapter you will discover:
The Risk Assessment Flow Chart
PART I FOUNDATIONS Chapter 1 Just What is Critical Infrastructure?
1.1 What is Critical Infrastructure?
1.2 Critical Infrastructure Conceptual Development — United States
1.2.1 Mid-1990’s — Executive Order 13010
1.2.2 1998 — Presidential Decision Directive (PDD) 63
1.2.3 2001 (Post 9/11) Executive Order 132 2823
1.2.4 2001 (Post 9/11) USA PATRIOT Act24
1.2.5 2002 National Strategy for Homeland Security26
1.2.6 2003 National Strategy for Physical Infrastructure Protection
1.2.7 2003 Homeland Security Presidential Directive (HSPD-7)
