A strong security plan is a necessary part of doing business these days. But how do you create one? Where do you start? And how do you come up with a framework for creating security plans that will apply to all your clients?
Below are the 5 basic steps you’ll need to take to create a security plan that works for your clients.
1. ASSESS RISK
Assessing your clients’ risk allows you to jointly determine the proper security policies and procedures to put into place. To effectively assess risk, you need to examine threats, vulnerability, and assets. Start with a vulnerability assessment, in which you define, identify, and prioritize vulnerabilities in your client’s infrastructure. You may use automated testing tools, such as a network or application security scanner, to help you identify risks.
2. DOCUMENT AN ORGANIZATION-WIDE SECURITY PLAN
Here are some baseline components.
SECURITY POLICY PROCEDURES, GUIDELINES, AND STANDARDS
This includes management controls (risk assessment, review of security controls), operational controls (personnel security, physical security), and technical controls (identification and authentication, access controls).
SECURITY AWARENESS TRAINING
Security awareness training should be conducted at least annually, preferably more often than that. It might seem unnecessary, but given how much employee turnover there can be, you really can’t have too much training. Plus, the more regular it is, the more effective it is. After 12 months of consistent security awareness training, end users are 70 percent less likely to fall for a phishing attempt.1
Central management and reporting of all incidents is key for understanding an organization’s security posture and for coordinating a response to a potential attack.
COMPLIANCE REVIEWS AND ENFORCEMENT
Compliance reviews consist of annual reviews of applicable security systems and documentation including security plans, risk assessment reports, contingency plans, etc. Additionally, the company’s data may also be subject to third party compliance requirements, such as PCI for financial transactions or HIPAA for healthcare information.
1Webroot Inc. “2019 Webroot Threat Report.” (February 2019).
3. ESTABLISH A SECURITY MANAGEMENT STRUCTURE AND CLEARLY ASSIGN SECURITY RESPONSIBILITIES
The organization’s executive management team needs to determine if they require a senior security leader, such as a CISO, and how that person should interact with the rest of the teams. Build the team out from there, so that, in the event of a breach, each person knows their role and how to handle it.
4. IMPLEMENT EFFECTIVE SECURITY-RELATED PERSONNEL POLICIES
Require background checks on employees and contractors.
Ensure personnel have completed and signed non-disclosure agreements (NDAs).
Enforce termination and transfer procedures including:
Returning equipment, ID badges, access keys, etc.
Terminating user IDs and passwords
Identifying non-disclosure period effectiveness