At first glance, the task of writing an information security plan might seem intimidating, especially for smaller and mid-sized businesses that are just beginning to focus on security risks. This article will break down and explain the process of creating your company’s plan by giving you a solid understanding of what an information security plan should contain.
It is important to note that this article is intended to be a general guide to creating your Information Security Plan. Your own business likely has its own set of unique risks for which you’ll need to account. We highly recommend that you consult a security expert or legal counsel if you have any questions specific to your business that aren’t addressed in this article.
What is an Information Security Plan?
Why Build an Information Security Plan?
Additionally, having a plan in place represents taking a proactive approach to managing the various risks that your business may face, and enables you to make the right decisions as to how you should spend your resources to put safeguards in place. Ultimately, your information security plan will help ensure that the biggest risks are kept to a minimum, and that you’re adequately prepared to respond to any event that might occur.
Steps To Build an Information Security Plan
The Information Security Manager is the individual at your business who will take responsibility and ownership of the security plan. The responsibilities of the Information Security Manager include authoring the plan, routinely reviewing and updating the plan, facilitating employee training for security related policies and procedures, and ensuring that the plan is enforced by the business as a whole.
This section is the foundation of your security plan: identification of your company’s sensitive data and a comprehensive listing of exactly what needs to be protected. You will want to catalog every piece of sensitive information your organization collects or comes in contact with, and for each, give an explanation of how it is handled and in what form it is stored. Don’t forget your paper or hard copy records! Although a lot of attention is given to the security of electronic data, paper records are equally at risk of being lost or stolen.
Describe the safeguards that are currently in place to protect the sensitive data your company possesses. Protection can take many forms: for example, locked file cabinets, locked storage areas for computer equipment, encryption of electronic records, network intrusion safeguards and secure data transmission methods. Remember to include details on data destruction; how are you disposing of records, electronic or paper, when you no longer need them?
Another critical step in the creation of your information security plan is to identify and evaluate the third parties your company shares its sensitive data with. Once you’ve identified whom the data is shared with, you should explain how your company is assured that your third parties are taking steps to protect the data that they are exposed to. One effective way to do this is to request a written confirmation from your vendors certifying that they have an information security plan of their own.
Easily one of the most difficult to manage data breach risks in an organization comes in the form of the “human factor.” It’s crucial that you develop a strategy to raise your staff’s overall security awareness and inform them of the policies and procedures you are implementing as part of your information security plan. Additionally, you’ll want to detail your plans to regularly audit the access that your staff has to your sensitive data, to ensure that only those employees who work with the data are able to access it.
The purpose of identifying risks is to give your business insight into where the biggest threats come from and where the biggest monetary losses may occur. This then allows you to intelligently prioritize your time and resources, so that you focus on addressing the biggest threats first.
Even with the best plans for preventing a data breach, it’s absolutely crucial to have in place a plan of response in the event that a breach does occur. Your plan should be explicit in detailing the manner in which you will respond. You’ll need to detail who is responsible for executing the response plan, the exact actions to be taken, and the order in which they will occur. Also included should be a Notification Listing, which details the notification requirements of all relevant parties—for example, the breach victims, the local authorities, or state or federal authorities. Notification laws vary by state, so you’ll need to familiarize yourself with your own state’s regulations.
Every business is in a constant state of change. New products are offered, vendors come and go, and your computer infrastructure is constantly evolving. The risks that you face today are not the risks that you faced last year—nor will they be the risks you face next year. For that reason, it is imperative that you routinely review and update your information security plan to keep it in sync as your business evolves. Your information security plan should detail how often the document will be reviewed by your Information Security Manager—at least once a year, though more frequent reviews are often recommended.