First, What is a Security Plan?

A Security Plan or System Plan documents the controls that have been selected to mitigate the risk of a system. The controls are determined by a Risk Analysis.

Assisting with the process NIST (National Institute of Standards and Technology) provides a catalog of controls with templates outlining the Cybersecurity Framework for Critical Infrastructure and Security Plan. Businesses may use the outline when creating their Security Plan.

How to Implement Your Security Plan?

1. Take an inventory of your physical and information assets (what are you protecting?).
2. Perform a risk assessment to determine what level of security is needed to protect your information assets.
3. Complete the checklist to make you aware of your security strengths and weaknesses
4. Complete an evaluation. Evaluate your findings and discuss recommendations to correct deficiencies and/or improve security with departmental administration and IT staff.
5. Develop a security plan. Create a plan with target dates for implementation.
6. Set Deadlines / Completion Dates
7. Project Management – Monitor the process from start to finish
8. Evaluate upon completion

Responsibilities for a Departmental Security Plan

  1. Inventory – IT Staff
  2. Risk Assessment – Systems Administrator
  3. Checklist – Systems Administrator
  4. Evaluation – Systems Administrator
  5. Plan – IT Staff & Systems Administrator

What does a simple IT security plan schedule look like?

Tasks Example:
  1. Draft Security Plan
  2. Submit Plan for review by other managers / outsourced IT company for this process.
  3. Edit
  4. Finalize Security Plan
  5. Submit to Board of Directors “if needed”
  6. Distribute the Plan to all Management
  7. Distribute the Plan to all Personnel
  8. Meet with Management – set dates – begin implementation
  9. Establish means to accomplish Security Tasks and events
  10. Establish Security Breach Committee
  11. Establish Proactive Security Committee
  12. Obtain and install required new equipment if needed (servers, workstations, programs, etc.)
  13. Implement new policies (ex – clean desk, remote working, etc.)
  14. Evaluate the implementation
  15. Evaluate Security Program
    1. Internal Review
    2. External Review
  16. Modify Security Program and Plan
    1. Schedule follow up meetings / audit