Security 102: Information Security Plan Development


Development of an information security plan begins with a belief: Information is an important company asset and needs to be protected.

However, companies often do not match the level of protection with the data's actual value, this results in some information being over-protected and other highly valuable information not having adequate protection. To provide corporate information with the appropriate level of protection requires development, adoption and implementation of a plan to achieve this goal.

Steps for Developing a Plan
Organizations that recognize how they use and value information find the security planning process relatively easy, while those that do not and expect an "out of the box solution," find the process painful and are frequently exposed to uncomfortable realities. Five basic steps, listed below, can be helpful for developing an information security plan:
1. Identify the types of information that require protection
2. Estimate the value of information that exist in each type
3. Develop/Update an information security policy mandating that information be protected according to type
4. Set information protection standards for each information type
5. Create monitoring and management standards for checking compliance with the information protection standards

Risk Assessments: As organizations go through these steps, conducting risk assessments are essential for the following:

  • Identifying the information requiring protection
  • Establishing the value of this information in terms of the cost of creation, recreation, unauthorized disclosure or modification
  • Design of protection mechanisms are identifying residual risks if protection mechanisms are used
  • Cost/Residual Risk/Benefit analysis of protecting a given class of information
  • Additional protective measures required for further safety

    Risk assessments are part of the entire risk management program that companies apply to other parts of their operations. As with other risk management activities, an information risk assessment should be performed whenever changes to the usage, storage, access or processing of information are being planned. The results of the risk assessment may impact and require updates to the overall information security plan and compliance requirements with this plan.

    Plan Exceptions: Information security management controls are often littered with exception requests for various reasons, e.g. "I want to use ABC software package to carry out task 123 since the standard package doesn't provide the features needed for this task." Information protection should be one area in which exceptions to information security management controls are carefully considered and rarely granted.

    Requests for exceptions to one or more security controls should be examined from this perspective: "If this information is so valuable to us, why should we reduce the level of protection we apply to it?" Such a question is hard to argue against since the company has already considered the risks to its business prior to mandating compliance with the security control.

    Return on Investment: Although an information security plan requires investment for its creation, implementation and management, this cost can be justified by considering the business impact if valuable information were compromised by theft, destruction or modification. Of these, theft or modification is probably the most damaging--assuming an adequate data backup plan has been implemented.

    The impact of theft by a competitor is relatively easy to understand, while the effects of impact by modification are less obvious. Subtle modification of information can be damaging since it can affect decisions or operations that result in financial injury to the organization.

    Communication: The process for developing an information security plan can be easy or arduous, depending on the organization politics and personalities surrounding information protection. Development of an information security plan is not particularly technically oriented; it is predominantly a managerial and political task.

  • Managerial perspective: information identification and valuation; designation of acceptable risks in terms of the value of the information and the level of protection provided.
  • Political perspective: elicitation of cooperation and persuasion regarding adoption of new measures and the final plan prior to its adoption and implementation.

    Development, adoption, implementation and management of an information security plan will only be effective if it is strongly endorsed and publicly communicated by the most senior management of the organization. The information security plan defines what protection is required, but does not define how it should be provided.

    Required endorsement includes vocal, written and financial support. The necessity, impact, requirements and benefits resulting from design and implementation of an information security plan need to be openly and regularly communicated to users of the information as part of a normal security awareness program. If such a program does not already exist, it should be included in the development of the overall information security plan.

    Financial support is necessary to fund the initial development of the plan, its adoption and implementation, and to support continued monitoring and management over the long-term with an information protection infrastructure.

    Watch for the third Security 102 class, "Information Security Plan Implementation."