First, What is a Security Plan?
A Security Plan or System Plan documents the controls that have been selected to mitigate the risk of a system. The controls are determined by a Risk Analysis.
Assisting with the process NIST (National Institute of Standards and Technology) provides a catalog of controls with templates outlining the Cybersecurity Framework for Critical Infrastructure and Security Plan. Businesses may use the outline when creating their Security Plan.
How to Implement Your Security Plan?
1. Take an inventory of your physical and information assets (what are you protecting?).
2. Perform a risk assessment to determine what level of security is needed to protect your information assets.
3. Complete the checklist to make you aware of your security strengths and weaknesses
4. Complete an evaluation. Evaluate your findings and discuss recommendations to correct deficiencies and/or improve security with departmental administration and IT staff.
5. Develop a security plan. Create a plan with target dates for implementation.
6. Set Deadlines / Completion Dates
7. Project Management – Monitor the process from start to finish
8. Evaluate upon completion
Responsibilities for a Departmental Security Plan
- Inventory – IT Staff
- Risk Assessment – Systems Administrator
- Checklist – Systems Administrator
- Evaluation – Systems Administrator
- Plan – IT Staff & Systems Administrator
What does a simple IT security plan schedule look like?
- Draft Security Plan
- Submit Plan for review by other managers / outsourced IT company for this process.
- Finalize Security Plan
- Submit to Board of Directors “if needed”
- Distribute the Plan to all Management
- Distribute the Plan to all Personnel
- Meet with Management – set dates – begin implementation
- Establish means to accomplish Security Tasks and events
- Establish Security Breach Committee
- Establish Proactive Security Committee
- Obtain and install required new equipment if needed (servers, workstations, programs, etc.)
- Implement new policies (ex – clean desk, remote working, etc.)
- Evaluate the implementation
- Evaluate Security Program
- Internal Review
- External Review
- Modify Security Program and Plan
- Schedule follow up meetings / audit