Business Continuity Newsletter
Disaster Recovery Planning - Business Continuity Planning
Software, Consulting and Training
Binomial International
Keeping businesses in business since 1980
22 September 2014 Site Français

Example Security Plan Template

Every organization is different, and you will need to customize the structure of this security plan to meet your needs.

You will neeed to:

  1. identify the threats that it faces,
  2. analyze and prioritize those threats,
  3. devise plans and strategies to reduce the likelihood of those threats occurring,
  4. have contingency plans ready in case those threats occur.

Corporate Security Plan Table of Contents

This is the comprehensive table of contents for a typical corporate plan produced by Binomial PlanBuilder for Security. Some organizations will not need all these sections.

Executive Summary

Many people will avoid reading a plan until the last minute. The executive summary module ensures allows people to obtain a quick overview of the plan without reading the details.

    1     EXECUTIVE SUMMARY
    1.1   Introduction
    1.2   Things to Know
    1.3   Objective

Quick Reference

When something happens, the first question people will ask is What do I do now?.

This section helps them find the answer quickly.

    2     QUICK REFERENCE
    2.1   Objective of this Module
    2.2   Where to Find It

Introduction to Security

When people read your plan, they need to understand what you are trying to do and why. An introductory section helps ensure that the reader is familiar with concepts and terminology in the plan.

    3 INTRODUCTION TO SECURITY
    3.1 Protection
    3.2 Detection
    3.3 Reaction
    3.4 Documentation
    3.5 Prevention

Aspects of Security

This section could alternatively be moved into an appendix. It discusses the nature of the threats which need to be considered and common counter-measures that may be deployed.

    4   ASPECTS OF SECURITY
    4.1   Physical Security
    4.1.1   Introduction
    4.1.2   Security threats
    4.1.2.1   Design Approach
    4.1.2.1.1   Protective Barriers
    4.1.3     Planning & Administration
    4.1.3.1     Facility Protection
    4.1.3.2     Planning Facility Protection
    4.1.3.3     Design Factors.
    4.1.3.4     Surveys and Inspections.
    4.1.3.5     Awareness and Education.
    4.1.3.6     Security incident Reporting.
    4.1.4   Exterior Protection
    4.1.4.1     Perimeter Security Measures.
    4.1.4.2     Physical Barriers
    4.1.4.3     Fencing
    4.1.4.4     Gates.
    4.1.4.5     Protective Lighting
    4.1.4.6     Doors
    4.1.4.7     Windows
    4.1.4.8     Manholes, Grates and Storm Drains
    4.1.4.9     Roof Openings
    4.1.4.10    Mechanical Areas
    4.1.4.11    Building HVAC Systems
    4.1.4.12    Fire Escapes and Building Walls
    4.1.4.13    Facilities in Remote Locations
    4.1.4.14    Alarms
    4.1.4.15    Security Guards
    4.1.4.16    Protecting Utility Areas
    4.1.4.16.1    Transformers
    4.1.4.16.2    Connections and Lines
    4.1.4.17    Protecting Public Areas
    4.1.5     Interior Protection
    4.1.5.1     Interior Security Controls
    4.1.5.2     Area Designations
    4.1.5.2.1       Restricted Area
    4.1.5.2.2       Controlled Area
    4.1.5.2.3       Unrestricted Area
    4.1.5.2.4       Strongrooms
    4.1.5.3     Identification, Admittance & Interior Movement Control
    4.1.5.3.1       Employee Entry & Monitoring
    4.1.5.3.1.1	    Personal Identification
    4.1.5.3.1.2	    Artificial Access Identification Systems
    4.1.5.3.2   Contractors
    4.1.5.3.3     Visitors
    4.1.5.3.3.1	    Visitor Control/Screening System
    4.1.5.3.3.2	    Visitor ID Accountability System
    4.1.5.3.4     Vehicle Control
    4.1.5.3.5     Material Control
    4.1.5.3.6     Guard Duties
    4.2     Information Security
    4.2.1     Server Security
    4.2.2     Work Station Security
    4.2.3     Network Security
    4.2.4     Firewalls
    4.2.5     Website / Internet
    4.2.6     Communications Security
    4.2.7     Data Compromised
    4.2.8     Securing Applications
    4.2.8.1     Why secure applications?
    4.2.8.2     What should be included in a risk assessment?
    4.2.8.3     Securing applications
    4.2.8.4     Putting the puzzle together
    4.2.9     Attacks
    4.2.9.1     Social Engineering
    4.2.9.2     Virus/Trojan Horses
    4.2.9.3     Denial of Service
    4.2.9.4     IP Spoofing
    4.2.9.5     Worm
    4.2.9.6     Replay Attack
    4.2.9.7     Theft of Information
    4.2.10    Actions to Take Now to Improve IT Security
    4.3     Travel Security
    4.3.1     Airports & Airplanes
    4.3.2     Hotels
    4.3.3     Laptops
    4.3.3.1     The Loss
    4.3.3.2     Use a Cable Lock
    4.3.3.3     Don't Advertise with a Laptop Case
    4.3.3.4     Be vigilant at Checkpoints
    4.3.3.5     Keep Your Laptop Near
    4.3.3.6     Don't Clutter Your Laptop Case
    4.3.3.7     Laptop Travel Tips
    4.3.3.8     Protect Information on Your Laptop
    4.3.3.9     Back Up Data
    4.3.3.10    Practice Good Password Hygiene
    4.3.3.11    Use Two Factor Authentication
    4.3.3.12    Choose Your Hot Spots Carefully
    4.3.4     Cars/Taxis
    4.3.5     Cell phones
    4.3.5.1     Risks of Eavesdropping
    4.3.5.2     Risks of Recording
    4.3.5.3     Traffic Analysis
    4.3.5.4     Geolocation
    4.3.5.5     Other Cell Phone Security Risks
    4.4   Identity Theft
    4.5     Human Resources
    4.5.1     Termination
    4.6   Inside Security

Security Requirements

This section discusses the specific security requirements of your organization.

    5   SECURITY REQUIREMENTS

Security Risk Assessment

This section analyzes the security risks of your organization.

    6   SECURITY RISK ASSESSMENT

Security Teams

To effectively manage security, it is desirable to assign responsibilities to various.

Some of the teams here can be merged with business continuity teams (if your organization has a business continuity plan) or, if you have a smaller organization, merged with each other.

Each team should know what its responsibilities are, what it needs to do to prepare for a secruity incident, what its objectives are during a security incident, and what it should do after the security incident has been dealt with.

    7   SECURITY TEAMS
    7.1   Security Management Team
    7.1.1   Responsibilities
    7.1.2   Preparation Tasks
    7.1.3   During-Security incident Tasks
    7.1.4   Response Tasks
    7.1.5   Notes
    7.2   Plan Development Team
    7.2.1   Responsibilities
    7.2.2   Preparation Tasks
    7.2.3   During-Security incident Tasks
    7.2.4   Response Tasks
    7.2.5   Notes
    7.3   Situation Inspection Team
    7.3.1   Responsibilities
    7.3.2   Preparation Tasks
    7.3.3   During-Security incident Tasks
    7.3.4   Response Tasks
    7.3.5   Notes
    7.4   Exercise Management Team
    7.4.1   Responsibilities
    7.4.2   Preparation Tasks
    7.4.3   During-Security incident Tasks
    7.4.4   Response Tasks
    7.4.5   Notes
    7.5   Physical Security Team
    7.5.1   Responsibilities
    7.5.2   Preparation Tasks
    7.5.3   During-Security incident Tasks
    7.5.4   Response Tasks
    7.5.5   Notes
    7.6   Logical (IT) Security Team
    7.6.1   Responsibilities
    7.6.2   Preparation Tasks
    7.6.3   During-Security incident Tasks
    7.6.4   Response Tasks
    7.6.5   Notes
    7.7   Security Incident Response Team
    7.7.1   Responsibilities
    7.7.2   Preparation Tasks
    7.7.3   During-Security incident Tasks
    7.7.4   Response Tasks
    7.7.5   Notes

Actions to Take Now

During the planning and analysis process, a list of actions which need to be taken will be identified. This is where they go.

    8   ACTIONS TO TAKE NOW
    8.1   Steps To Improve Physical Security
    8.2   Steps To Improve Logical Security

Exerising The Plan

A plan which only exists on the shelf, or on a hard drive on a server, is not one that will be successfully put into practice when the need arises. This section describes the various methods by which the plan will be tested, exercised, and improved.

    9   EXERCISING THE PLAN
    9.1   General
    9.2   Emergency Drills
    9.3   Exercises
    9.3.1   Walk-Through Exercise
    9.3.2   Functional Exercise
    9.3.3   Simulation Exercise
    9.3.4   Full-Scale Exercise
    9.4   Scope Of The Exercise
    9.4.1   Component Exercise
    9.4.2   Plan Exercise
    9.4.3   Process Exercise
    9.4.4   Exercise Description
    9.5   Exercise Frequency
    9.6   Exercise Responsibility
    9.6.1   Exercise Management Team
    9.6.2   Application Team(s)
    9.7   Data Collection
    9.8   Internal Reviews & Critiques
    9.8.1   Evaluation
    9.8.2   Internal Tracking
    9.9   External Reviews & Critiques
    9.9.1   Schedule
    9.9.2   Location
    9.9.3   Participants
    9.9.4   Agenda
    9.9.5   Action Item Tracking
    9.9.6   Acknowledgements
    9.10  Test Suggestions

Training

The people who will execute the plan need to be trained if the plan is going to successfully be put into action.

    10    TRAINING
    10.1    General
    10.2    Who Should Be Trained
    10.3    Specific Functional Training
    10.4    Training Phases
    10.4.1    A Framework For Training Response Teams
    10.4.2    Pre-Planning Training & Awareness
    10.4.3    Planning Methodology Training
    10.4.4    Plan Role & Responsibility
    10.4.5    Pre-Exercise Training
    10.5    Response Procedures Training
    10.5.1    Purpose
    10.5.2    Building Accoutrements
    10.5.3    The Human Element
    10.6    Primary Procedures For Emergency Response
    10.6.1    Bomb Threat & Search Procedures
    10.6.1.1    Terrorist Bombing
    10.6.1.1    Bomb Threat
    10.6.2    Evacuation Procedures
    10.6.3    Severe Weather
    10.6.4    Medical Emergencies
    10.7    Suggested Scenarios
    10.7.1    Technological Accident
    10.7.2    Natural security incidents
    10.7.3    Business Crises
    10.7.4    External Threats/ Other Hazards
    10.7.5    External Threats due to Location
    10.7.6    Human Factors
    10.8    Supporting Document References

Maintenance

To ensure that the plan continues to meet the organziation's needs, it needs to be maintained. This section discusses these requirements.

    11    MAINTENANCE
    11.1    Purpose
    11.2    Sequential Steps
    11.2.1    Assessment of the Situation
    11.2.2    Security Policy Formulation
    11.2.3    Security Plan Development
    11.2.4    Plan Implementation
    11.2.5    Inspection and Testing
    11.2.6    Evaluation
    11.3    Maintenance Reasons
    11.4    Maintenance Reports
    11.5    Maintenance Schedule
    11.6    Maintenance Log

Auditing

A plan audit assures everyone that the actions detailed in the plan are being taken, and that the plan meets its requirements. This section discusses and describes how the plan will ber audited.

    12    AUDITING
    12.1    Auditing The Plan
    12.2    Auditing Corporate Security Plans
    12.2.1    The Plan Manager
    12.2.2    Determination of Criticality
    12.2.3    Resourcing
    12.3    Copies of the Plan
    12.4    Staff Training & Awareness
    12.5    Off-Site Storage Of Documentation
    12.6    Interdependencies
    12.7    Corporate Security & Recovery
    12.8    Testing & Exercises
    12.9    Maintenance Of The Plan
    12.10     Does The Plan Make Sense

Appendices

There is a lot of information that is useful for the plan reader and for those who will execute the plan, but does not form part of the plan itself. These are some of the appendices that could be included.

    1   SECURITY TERMS
    1.1   GLOSSARY OF INFORMATION SECURITY TERMS
    1.2   GLOSSARY OF NETWORK SECURITY TERMS
    1.3   GLOSSARY OF PHYSICAL SECURITY TERMS
    2   PASSWORDS
    3   POLICIES
    3.1   SERVER SECURITY POLICY
    4   REFERENCES
    5   FORMS
    6   SPECIAL CIRCUMSTANCES
    7   SECURITY MISTAKES
    8   SECURITY CHECKLISTS
    8.1   GENERAL SECURITY ISSUES
    8.2   UNIFORMED SECURITY OPERATIONS
    8.3   PERIMETER BARRIERS AND CONTROLS
    8.4   GATE SECURITY AND CONSTRUCTION
    8.5   VEHICLE CONTROL AND PERIMETER ENTRY POINT ACCESS
    9   STRONGROOMS
    10  INTRUSION DETECTION SYSTEMS
    11    GUARD SERVICES
    11.1    Personnel Requirements
    11.1.1    Manpower
    11.1.2    Armed Guards
    11.1.3    Supervision
    11.2    GUARD SERVICES STATEMENT OF WORK
    11.2.1    Scope of Work
    11.2.2    Contract Effort Required
    11.2.3    Services Required
    11.2.4    Supervision
    11.2.5    Authority and Jurisdiction
    11.2.6    Use of Force Policy
    11.2.7    Regulations and Procedures
    11.2.8    Equipment, Uniforms and Materials
    11.2.9    Qualification of Personnel
    11.2.10   Suitability Requirements
    11.2.11   Special Requirements for Supervisors
    11.2.12   Training
    11.2.13   Reporting Work
    11.2.14   Removal from Duty

Preparing Your Plan

This is potentially a lot of information for you to create and maintain. Fortunately there's a simple way to get started. It's far easier and more cost-effective to start with a product, such as our comprehensive Binomial PlanBuilder for Security, which will both enable you to get your plan up and running quickly and make it easier for you to maintain your plan.

The product pricing compares well with the do-it-yourself alternative. Why not request an request an evaluation copy and get started on your plan right away?


Security Plan Preparation Software