Writing and implementing a security plan does not have to be a daunting task. A good plan today is better than a perfect plan tomorrow, and it can always be updated and refined later.
The planning cycle
There are five steps to creating a good security plan:
Review your own skills and knowledge. Determine if you need outside help. Identify assets and information that need to be protected, including hardware, software, documentation and data. Review the threats and risks. Make a prioritised list of items to protect.
Write procedures for preventing, detecting and responding to security threats. Provide a framework for enforcing compliance, including staff policies. Identify who will be responsible for implementing and monitoring the plan. Agree a timetable for implementation.
Communicate with staff. Train where necessary. Carry out the plan.
Research new threats as you become aware of them. Subscribe to security bulletins. Update and modify the plan as changes occur in personal, hardware or software. Carry out ongoing maintenance such as backups or virus updates.
Plan for a complete review and update six to twelve months after you complete the first plan or when your business goes through significant changes.
What to include
An effective security plan will include the following considerations. For smaller businesses, some may not be relevant or appropriate:
- Management buy-in and commitment
- External parties (customers, suppliers, partners, stakeholders)
- Establish information security policy
- Information risk management
- Responsibility for information assets
- Information classification (internal, public domain, confidential)
- New employee vetting
- Non-disclosure agreements
- Awareness and training
- Secure areas and access control
- IT equipment security
- Operational procedures and responsibilities
- New IT systems and upgrades
- Malware protection
- Back ups
- Employees’ own devices
- Exchange of information (including third parties)
- Electronic and mobile commerce
- User monitoring
- Access management
- User responsibilities (including employment contracts)
- Mobile and remote working
- Network security management
- Network encryption
- Correct processing in applications to ensure data integrity
- Security within development and support
- Vulnerability management
- Reporting issues and weaknesses
- Incident management and escalation
- IT security aspects of business continuity management
- Compliance with legal requirements (including the Data Protection Act)
- Compliance with payment card industry standards
- Compliance with specific industry requirements (such as financial services, medical)