SS PLAN PROCESS:
There are five steps to creating a goodyour security plan:
- 1. Evaluate your business
We discuss you and your company’s skills and knowledge. Determine if you even need outside help. Identify assets and information that need to be protected, including hardware, software, documentation and data. Review the threats and risks. Make a prioritized list of items to protect.
- 2. Plan a Solid Program and Process
Create processes and procedures for preventing, detecting and responding to security threats. Provide a framework for enforcing compliance, including staff policies. Identify who will be responsible for implementing and monitoring the plan on your side. Establish a timetable for implementation.
- 3. Execute the Plan
Communicate with staff. Train where necessary. Solicit Feedback. Carry out the plan.
- 4. Constantly Monitor
We stay up to date on new threats as we become aware of them. We will update and modify the plan as changes occur in personal, hardware or software, external market conditions, etc. Carry out ongoing maintenance such as backups or anti malware software, insure software updates are current.
- Repeat. Then Repeat Again.
Plan for a complete review and update three to six months after you complete the initial plan or when your business goes through significant changes.
What to include
An effective security plan will include the following considerations. For smaller businesses, some may not be relevant or appropriate:
- Management buy-in and commitment
- External parties (customers, suppliers, vendors, partners, stakeholders)
- Establish an Information Security Policy
- Address Information Risk Management
- Assign Responsibility for Information Assets
- Information classification (internal, public domain, confidential)
- New employee vetting
- Non-disclosure agreements
- Awareness and training
- Secure areas and access control
- IT equipment security
- Operational procedures and responsibilities
- New IT systems and upgrades
- Malware protection
- Back ups
- Employees’ own devices – BYOD
- Exchange of information (including third parties)
- Does electronic and mobile commerce come into play
- User monitoring processes and procedures
- Access management
- User responsibilities (including employment contracts)
- Mobile and remote working
- Network security management
- Network encryption
- Correct processing in applications to ensure data integrity
- Security within development and support
- Vulnerability management
- Reporting issues and weaknesses
- Incident management and escalation
- IT security aspects of business continuity management
- Compliance with legal requirements
- Compliance with payment card industry standards PCI
- Compliance with specific industry requirements (such as financial services, medical)