The Critical Infrastructure Assurance Office (CIAO) was established to assure the security of the infrastructure of the United States, especially the cyber-based infrastructure. The first step in determining what information systems, data, and associated assets constitute the critical information is to draw up an inventory of all candidate assets. Performing a vulnerability audit involves finding and documenting the vulnerabilities in critical information assets. Critical asset elements include personnel, automated information and control systems, non-automated information and control systems, data, and facilities and equipment. Each agency should then apply risk management analysis to the entire list of vulnerabilities associated with their critical assets and infrastructure dependencies. Sound practices for securing facilities and equipment include making sure secure rooms have no more than two doors, relatively small windows, and good key control. To protect data and software against nonphysical threats, a business should include virus protection, firewalls, sound access control practices, and encryption. A computer security incident could include compromise of integrity, denial of service, misuse, damage, intrusions, and alterations. A computer security incident response capability (CSIRC) is a set of policies and procedures defining security incidents and governing the actions to be taken when they occur. 4 figures, glossary, and 5 appendices