Strategic Management of Information and Communication Technology The United States Air Force Experience with Y2K (2007) / Chapter Skim
Currently Skimming:
4 Managing ICT Risk
4 Managing ICT Risk
Pages 93-110
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 93... ...
. Yet, despite this overlap between Y2K and ongoing security and information assurance efforts, little formal effort was made to leverage the Y2K "investment" to improve management of these related critical ICT issues.
|
From page 94... ...
. Most ICT managers had never operated under a policy of zero risk tolerance, and they saw it as inappropriate for their situation.
|
From page 95... ...
4.1.2. Risk Tolerance of ICT Managers versus Senior Leadership To a great extent, the frustrations of ICT managers stemmed from fundamental differences in their tolerance for risk versus that of senior leadership.
|
From page 96... ...
Nevertheless, due diligence became a fundamental aspect of the Air Force Y2K response, filtering down from senior leadership to all participants in the effort.
|
From page 97... ...
On the one hand, this pressure was beneficial in helping to bring together the critical mass of people and resources needed to address the cross-functional, cross-organizational Y2K problem. On the other hand, this outside pressure, particularly in the form in which it came from the media, helped fuel the broad nonspecific response and zero tolerance policy.
|
From page 98... ...
In the context of zero risk tolerance, meeting the embedded chip threat required a huge, almost never-ending effort. ICT managers recognized that this was a fundamentally different issue from the Y2K data and ICT systems issues they had been dealing with.
|
From page 99... ...
Faced with the need to establish Y2K continuity plans, Air Force leaders looked to its existing COOPs (as well as, to some extent, its ORM, as discussed below)
|
From page 100... ...
. Though little formal effort was made to apply ORM to addressing potential Y2K problems in ICT systems, there was a more formal effort to apply ORM to Y2K continuity planning.
|
From page 101... ...
The anecdotal evidence indicates there was far more change to IT equipment and systems than to non-IT infrastructure. Changes to IT infrastructure may have impacted up to half of the IT inventory items; changes to more traditional infrastructure items probably ranged between 2 and 5 percent (AFCA)
|
From page 102... ...
(AFY2KO) 4.2 Application to Security, CIP, and Infrastructure Assurance Even though Y2K included a massive, multiyear ICT risk management effort, that effort did not significantly impact the ongoing programs for addressing threats to ICT.
|
From page 103... ...
4.2.1. Intentional versus Systemic ICT Risk The 1997 report of the President's Commission on Critical Infrastructure Protection focused on issues stemming from intentional actions of hostile enemies.
|
From page 104... ...
The Y2K experience also revealed fundamental differences between intentional cyber threats and systemic ones. Hostile intentional threats originated primarily from outside the ICT system (although this includes outsiders who gain access to the inner workings of the system)
|
From page 105... ...
This lesson was learned during Y2K, but even though many ICT managers saw its relevance to ongoing security and risk management efforts, there was little actual transfer. "Alhough we learned that Y2K was an operational problem -- not just the purview of the SC -- we fundamentally have handed 105
|
From page 106... ...
1. Expand the notion of infrastructure assurance to include unintentional, systemic risk, and integrate efforts to address systemic risk with more established efforts to address hostile, intentional risk.
|
From page 107... ...
Y2K demonstrated the importance of distinguishing day-to-day operational issues from cross-organizational strategic issues. The strategic approach of senior leaders was not always applicable to individual issues of ICT risk, nor was the functional approach of ICT managers always applicable to enterprise-wide strategic risk issues.
|
From page 108... ...
While this effort revealed a number of inadequacies in the creation and maintenance of existing COOPs, the Air Force can build on this learning experience. COOPs are a highly applicable way to minimize ICT risk, whether from hostile enemy action or systemic complexity, but problems were revealed during Y2K.
|
From page 109... ...
Like the many other aspects of ICT management discussed throughout this report, ICT risk management requires a permanent, cross-organization point of contact under the guidance and auspices of the CIO (as discussed in Section 3.13)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.