IT, as well as online security, is vital for organisations of any size. The alternatives include business interruption, poor legal compliance, impact on revenue, compromised reputation or, at worst, business failure. Therefore, you need to take a systematic approach to security and the first place to start is to compile and implement an effective business security plan.
Get Safe Online's top tips...
- If you do not already have a business security plan, compile and implement on as soon as possible. Your plan should be reviewed regularly in line with your changing business needs, market conditions and evolving threats.
Writing and implementing a security plan does not have to be a daunting task. A good plan today is better than a perfect plan tomorrow, and it can always be updated and refined later.
The planning cycle
There are five steps to creating a good security plan:
- Audit
Review your own skills and knowledge. Determine if you need outside help. Identify assets and information that need to be protected, including hardware, software, documentation and data. Review the threats and risks. Make a prioritised list of items to protect.
- Plan
Write procedures for preventing, detecting and responding to security threats. Provide a framework for enforcing compliance, including staff policies. Identify who will be responsible for implementing and monitoring the plan. Agree a timetable for implementation.
- Execute
Communicate with staff. Train where necessary. Carry out the plan.
- Monitor
Research new threats as you become aware of them. Subscribe to security bulletins. Update and modify the plan as changes occur in personal, hardware or software. Carry out ongoing maintenance such as backups or virus updates.
- Repeat
Plan for a complete review and update six to twelve months after you complete the first plan or when your business goes through significant changes.
What to include
An effective security plan will include the following considerations. For smaller businesses, some may not be relevant or appropriate:
- Management buy-in and commitment
- External parties (customers, suppliers, partners, stakeholders)
- Establish information security policy
- Information risk management
- Responsibility for information assets
- Information classification (internal, public domain, confidential)
- New employee vetting
- Non-disclosure agreements
- Awareness and training
- Secure areas and access control
- IT equipment security
- Operational procedures and responsibilities
- New IT systems and upgrades
- Malware protection
- Back ups
- Employees’ own devices
- Exchange of information (including third parties)
- Electronic and mobile commerce
- User monitoring
- Access management
- User responsibilities (including employment contracts)
- Mobile and remote working
- Network security management
- Network encryption
- Correct processing in applications to ensure data integrity
- Security within development and support
- Vulnerability management
- Reporting issues and weaknesses
- Incident management and escalation
- IT security aspects of business continuity management
- Compliance with legal requirements (including the Data Protection Act)
- Compliance with payment card industry standards
- Compliance with specific industry requirements (such as financial services, medical)