Every organization, be it a company with five employees or an international conglomerate with tens of thousands of employees needs to:
This is the remit of the security plan — a realistic examination of the non-commercial and non-financial threats facing your company and the ways it will deal with them.
While a small company might be able to keep this information within the head of a manager or the business owner, an organization of any significant size needs to put this information on paper where it can be discussed, reviewed, and put into action.
It needs a security plan.
The first part of the security plan should describe its scope — just what is it intended to cover. For a small company the security plan scope might be the entire organization; for a larger organization, it might be limited to just one location or one department.
The scope may also be limited by the type of threats it covers. Often a separate security plan is written just for IT related threats since these require specialized knowledge to understand and address. The scope may also be limited to certain operations on a need-to-know basis: office staff do not need to know about the security plan for the movement of cash to and from bank branches, for example.
The next part of the security plan is the security assessment. This is the part of the plan which answers the question: where are we now?
The assessment needs to identify what we need to defend (people, locations, equipment, confidential information, service availability). Unless we know what we are defending, it's not possible to determine which threats we need to be concerned with.
Following this inventory of the things that need to be defended, we need to determine the threats we need to defend against.
These may include:
For each threat we need to determine the risk: the combination of both how likely it is to occur and its impact on the organization.
We also need to determine what precautions are already in place to either reduce the likelihood of the threat or to reduce its impact. This may include physical measures (burglar alarms, fences, firewalls), procedural controls (two signatures required for checks more than $1000), staff policies, and staff training.
Finally the assessment needs to prioritize the risks. Which are we going to take action on first, which can we safely ignore for now, and which can we safely ignore for the foreseeable future?
Note that rarer threats which may significantly impact the organization (fire, flood, earthquake, etc.) will often be excluded from the plan's scope and addressed in a separate business continuity plan or a disaster recovery plan, since these threats and the actions which must be undertaken to address them are further from the normal day-to-day running of the organization
Finally the plan needs to identify the actions we are going to take and when we are going to do them. Without this step, we just have a security assessment, not a security plan.
The actions may be of a one-off or of a continuing nature. They might involve:
Whatever the actions are, it is important that specific individuals need to be assigned the responsibility to carry out the required actions . The individual chosen must have the skills, time, budget, and resources to carry out the action.
There must also be a mechanism in place to verify that the actions are carried out and not forgotten. Typically this will involve review meetings by a steering committee to ensure that action items are being pursued and that feedback on the plan is being addressed.
Finally, the plan needs to be updated regularly as the organization's assets change and the organization learns more about the threats to its operations. There should typically be a formal security plan review once a year or whenever a significant change in the organization's operations occurs.