Security Plan for Firm X

Include controls in the system - Sample security plan

Sample Security Plan for Firm X

As a result of risk assessments, the following items need to be addressed within the organisation to improve system security.

Each item should be discussed between the administration (CEO, Director, Administrator) and the Systems Administrator to determine if there is a need to consider these as possible deficiencies and implement additional security processes or policies.

The organisation will implement the following improvements for security purposes with the following target dates.

Item/issue / Response/improvement
UPS (Uninterruptible power supply) testing / UPS will be tested on the first working day of each month
Maintain diagnostic software onsite / Diagnostic software will be researched and purchased at the discretion of the Systems Administrator.
Target date to move database to new software / Database will be moved from Paradox to Access by dd/mm/yyyy.
Provisions to continue operations in the event central services software are not available / A team will be created to develop a plan for business continuity in the event of central services downtime.
Network documentation for computers and network devices / Part-time staff will be hired to create documentation.
Physical and software access to network devices / Access will be discussed at staff meetings until resolved beginning dd/mm/yyyy.
WAN failure department functionality / Staff will have sufficient software to support short-term network problems.
Staff duties and standards / Security duties and responsibilities will be allocated to designated staff.
Standards will be evaluated at regular intervals (quarterly).
Documentation to explain how to perform all IT security related duties / Those responsible will document IT related duties for review by the Systems Administrator and CEO.
Additional training / Security training will be provided to the Systems Administrator.
Delegation of authority / Authority for security related issues will be delegated by policy, or by decision of the Director
Funding / A sincere effort will be made to provide for additional security measures and personnel.
Initially, 1% of the budget will be devoted to security related purchases.
Non-disclosure agreements / All IT staff will be asked to endorse a non-disclosure agreement for confidentiality purposes
Enforce stronger passwords / Strong passwords will be requested, however, neither the CEO nor the Systems Administrator find it an enforceable issue. (There is software available to enforce strong passwords.)
Account removal process / A policy and procedure will be created to address account removal within the next six months.
Unauthorised users / Staff will be provided with a workshop on Security Awareness and Social Engineering to make them aware of security practices.
Remote access authorisation / The Systems Administrator will conduct a survey of alternative methods for remote access including modems, VPN, wireless, network connections and PDAs.
Document physical security procedures / Information on security procedures will be solicited from security vendors.
Procedure for disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, DVDs and so on / System Administrator will provide process and documentation by dd/mm/yyyy.
Network diagrams that include IP addresses, room numbers and responsible parties / Part-time staff will research and produce the diagrams by dd/mm/yyyy.
Log retention standard / Systems Administrator will research and provide a report by dd/mm/yyyy.
Protection for clear-text passwords that are embedded in SQL scripts: Systems / Administrator will consult with IT vendors and report by dd/mm/yyyy.
The FTP server operator needs more information about Warez site problems and techniques / FTP server operator will research training options by dd/mm/yyyy.
Data integrity software / Systems Administrator will research data integrity software by dd/mm/yyyy.
Inventory of devices attached to the network / Part-time staff will perform inventory by dd/mm/yyyy.
Room jacks mapped to a switch port / Systems Administrator will check for advice by dd/mm/yyyy.
Written contingency plan / IT Director will create a team to research and document contingency plan by dd/mm/yyyy.
Plan to continue departmental business in the event that Central Systems are down / IT Director will create a team to research and document contingency plan by dd/mm/yyyy.
Investigate whether the organisation should store backup media offsite / IT Director will create a team to research and document contingency plan and backup storage by dd/mm/yyyy.
Regular dates to test to verify backup capabilities / Backup capabilities will be tested in June and January.
Only trained authorised individuals to install computer equipment and software / Experience and training guidelines will be established by the Systems Administrator and approved by the IT Director by dd/mm/yyyy.
Plan funding for upgrades / IT Director will set aside funding for regular upgrades and security improvements
Determining if the system was or is being attacked: / Systems Administrator will meet and discuss IT security improvements with vendors by dd/mm/yyyy.
Policies standards and procedures / The organisation will write and implement the following additional policies, standards and processes by dd/mm/yyyy:

passwords
account removal
elimination of chat clients
trusted workstation security.

Assign responsibilities

Responsibilities are embedded in the Security Plan above.
The management will now be responsible to approve the Security Plan and provide means to enforce the plan.

2810_sample_secplan.doc- 1 -