DHS: Cybersecurity, Risk Assessment and Compliance

Cybersecurity, Risk Assessment and Compliance

Overview

Cybersecurity, risk assessment and compliance planning is responsible for all the planning development and maintenance services of plans related to emergency management threats and hazards. These include:

Integrated State Cybersecurity Incident and Response Plan
Threat and Hazard Identification and Risk Assessment (THIRA)
Stakeholder Preparedness Review (SPR)
Hazard Identification and Risk Assessment (HIRA)
National Incident Management/Comprehensive Preparedness Guidelines (NIMS and CPG)

This planner provides support services to the IDHS THIRA and SPR data to the Indiana Department of Health and the IDHS grants, exercise and training sections, as well as the State Emergency Operations Center during activations.

From the data collected from the THIRA and SPR, the planner conducts quantification analysis of capability gaps, provides additional context aligned with 92 counties' Planning, Organization, Equipment, Training and Exercise (POETE) gaps and develops county, district, IDHS regional and statewide capability graphs that are used in Integrated Preparedness Planning Workshops (IPPW).

Request Support

Get Prepared

Cybersecurity

Upcoming Events and Deadlines

View full IDHS calendar

The Planning Section manages the reporting cycles for several assessments and surveys of emergency management agencies statewide:

Assessment or Survey	Deadline (Frequency)
Hazard Identification and Risk Assessment (HIRA)	January 30 (every three years: 2021-2024-2027)
Threat and Hazard Identification Risk Assessment (THIRA)	October 31 (every three years: 2022-2025-2028)
Stakeholder Preparedness Review (SPR)	October 31 (annually)
Special Event Assessment Rating (SEAR)	August 26 (annually)
NIMS Compliance Survey	November 15 (annually)
Comprehensive Preparedness Guide (CPG) 101 Compliance Survey	November 15 (annually)

Partnerships

Cybersecurity is not simply one agency's or management’s responsibility; it is everyone’s responsibility to be aware and vigilant, so the IDHS cybersecurity, risk assessment and compliance planner engages with state and federal agencies to partner on cyber preparedness efforts.

Indiana Office of Technology Cybersecurity Hub

Indiana State Police Cyber Crimes

Federal Bureau of Investigations Cyber Crime

Cybersecurity and Infrastructure Security Agency

Highlights

Cybersecurity, risk assessment and compliance planning covers a wide scope of work. Below are just a few of the areas.

HIRA

Hazard Identification and Risk Assessment (HIRA)
In any crisis or emergency, Indiana’s foremost concern is for the protection of human life and property. The Indiana Hazard Identification and Risk Assessment (HIRA) identifies, ranks and prioritizes all hazards and threats facing the state's population. The assessment is a collaborative effort between IDHS and each county's emergency management agency, and it is updated on a three-year basis.
Each hazard in the HIRA has an expected frequency, or probability, which is simply a calculation of how likely it is to occur in a given time, such as a year. Specific characteristics such as population distribution, weather patterns and topography may pose unique challenges for managing emergencies and disasters, so these are also included in the assessment.
For example, some locations in northern Indiana are in the ingestion pathway of Illinois and Michigan nuclear power plants, where a cyber attack could have catastrophic cascading effects. The HIRA includes these types of risks so that emergency managers and first responders can plan ahead for tactics to prevent, lessen the impact of and respond to potential emergencies.
THIRA/SPR
Threat and Hazard Identification Risk Assessment (THIRA)
According to the National Risk and Capability Assessment developed by FEMA, the National Threat and Hazard Identification Risk Assessment (National THIRA) assesses the impacts of the most catastrophic threats and hazards to the nation and establishes capability targets to manage them. Indiana's Threat and Hazard Identification and Risk Assessment (THIRA) is a three-step risk assessment process that helps communities understand their risks and what they need to do to address those risks by answering the following questions:
- What threats and hazards can affect our community?
- If they occurred, what impacts would those threats and hazards have on our community?
- Based on those impacts, what capabilities should our community have?
The outputs from this process lay the foundation for determining a community’s capability gaps as part of the Stakeholder Preparedness Review.
Stakeholder Preparedness Review (SPR)
The Stakeholder Preparedness Review (SPR) is a self-assessment of a jurisdiction’s current capability levels against the targets identified in the THIRA. Using those targets, jurisdictions identify their current capability and how that capability changed over the last year, including capabilities lost, sustained and built.
Jurisdictions also identify capability gaps related to planning, organization, equipment, training and exercises, and they indicate their intended approaches to address those gaps while also maintaining their current capabilities. In addition, jurisdictions identify how FEMA preparedness grants helped to build or sustain their capabilities.
IDHS assists counties in preparing their THIRA and SPR, which are due on a regular basis to the state and federal government. The THIRA is on three-year cycle, whereas the SPR is reported annually.
NIMS/CPG

National Incident Management System (NIMS) Compliance Survey
Beginning in Fiscal Year 2005, Homeland Security Presidential Directive (HSPD)-5 required federal departments and agencies to make adoption of the NIMS by state, tribal, territorial and local organizations a condition for federal preparedness assistance through grants, contracts or other activities. The National Integration Center identifies implementation objectives, as contained in the NIMS Implementation Assessment, to help state, tribal, territorial and local jurisdictions determine if they have met the HSPD-5 adoption requirements.
IDHS collects Indiana counties' NIMS compliance reports to submit to FEMA every year.
Comprehensive Preparedness Guide (CPG) 101 Compliance Survey
The CPG 101 compliance survey tracks the timing for developing or revising emergency operation plans. It also captures the planning elements contained in CPG 101 to enable counties to analyze their Emergency Operation Plan (EOP) and Comprehensive Emergency Management Plan (CEMP). IDHS collects Indiana counties' CPG compliance reports to submit to FEMA every year.
This effort is part of the National Preparedness System, a process that organizes the tools and resources needed to promote unity of effort and achieve the National Preparedness Goal.
For more information on national preparedness efforts, visit FEMA's National Preparedness webpage.

Did You Know?

The FBI received more than 800,000 cyber crime complaints
in 2023, with potential losses exceeding $12.5 billion.
Protect yourself from ransomware attacks: Back it up!
Save your data and system images offline.

Cybersecurity, Risk Assessment and Compliance

Cybersecurity, Risk Assessment and Compliance

Overview

Request Support

Get Prepared

Cybersecurity

Upcoming Events and Deadlines View full IDHS calendar

Partnerships

Highlights

Did You Know?

The FBI received more than 800,000 cyber crime complaintsin 2023, with potential losses exceeding $12.5 billion.

Protect yourself from ransomware attacks: Back it up!Save your data and system images offline.

Resources

Upcoming Events and Deadlines

View full IDHS calendar

The FBI received more than 800,000 cyber crime complaints
in 2023, with potential losses exceeding $12.5 billion.

Protect yourself from ransomware attacks: Back it up!
Save your data and system images offline.