Security 102: Information Security Plan Implementation


Previous Security 102 articles establish the need for an information security plan and steps for developing an effective policy. But, as usual, even the best plan remains only "words on paper" until it is put into action.

Following Steps for Implementation
A well-developed security plan sets forth requirements and specifications that point to potential solutions. During the implementation phase, an organization:

  • uses plan specifications to identify useful products and services
  • defines an overall implementation architecture
  • develops a project plan for implementation of these products and services
  • creates standard operational procedures for use of the solutions; and
  • develops a training plan (and materials, if necessary) to train users and administrators on use of the solutions.

    This list appears to be relatively straightforward, and it should be. Unfortunately, in practice, many organizations make executing implementation tasks unnecessarily difficult.

    Complexity is usually caused by the implementation team's failure to "pre-wire" the organization. In this context, pre-wiring is convincing management teams that the security program is in the best interest of the organization as a whole, and the teams' respective parts. Implementation of a security program in a properly pre-wired organization should be relatively painless.

    Also, in most organizations, a common implementation hurdle is the temporary workload increase due to information security plan training. This training is aimed at preparing employees to operate and work successfully within the program. However, like any important training, it takes time and pulls employees away from usual responsibilities.

    Implementing the Program Gently and Incrementally
    Managing an organization to successfully protect its information often requires a gentle rather than forceful approach. Security managers must remember employees are not all information security experts; they are information users who draw on data to perform needed tasks within the organization.

    While it may appear easier to adopt a heavy-handed approach regarding development, implementation, testing and management of a security plan, such an approach upsets large numbers of information users. In contrast, a more gentle approach garners acceptance and--in the end--an increased level of security since employees see the value of guarding the data and, thus, want to protect it. After all, employees feel pride and ownership for information they have created.

    Along with a temperate attitude, organizations will find greater success in an incremental approach to implementation. Although appearing to take longer, a step-by-step approach is frequently more positive and has less impact on the operation of the organization than a single large project. Incremental implementation eases security controls into operation.

    Starting with Small Improvements
    Small improvements in security are easier to implement than large ones. A simple process enhances the positive reactions from all persons involved in the changes, including implementers, users, managers and others. For one, incremental improvements are easier from the user's perspective (i.e., the user doesn't have to radically change the way he/she works). Also, incremental changes require less user and administrator training - something the already overworked professionals will appreciate.

    From the security manager's perspective, incremental improvements are easier to manage, monitor and implement, along with being more readily accepted by the user population.

    Despite all the positive aspects of the incremental approach to implementing the security plan, it does require careful project management to succeed. Putting the plan into practice piece-by-piece means that the subsequent phases of implementation build upon controls that must be present and operational. This means that the initial part of each upgrade is to check that the previous level is still properly configured. Clearly, this adds additional resource requirements to each phase of the implementation.

    In summary, implementation of an information security plan can be a positive experience when completed in a thoughtful and incremental manner. The end results of a more secure computing environment--including a sharper competitive edge for the business--are well worth the effort.

    Watch for the final Security 102 class, "Information Security Plan Testing and Management."