Security Plan Basics

The first step in securing your small or mid-sized business is to develop a plan.  This plan does not need to be complicated, extreme, or long.  In face, it needs to be simple, easy to follow, and just long enough to communicate the information.  There are a few key parts that need to be in every security plan, though.

1. Describe the Threat – What are the major threats against your business?  While there are similarities among all businesses, yours may have unique threats that should be addressed.  You should also include any compliance requirements as those are intended to protect a business from common industry threats.  This section sets the tone for the rest.
2. Assign Responsibility – Establish the roles necessary to secure your business.  You will need an overall decision maker, usually someone with some knowledge of risk management.  The remaining roles will depend on your security needs and goals.  They will likely include HR, accounting, and an IT systems administrator.  Include external contacts as well.  If you don’t employ full-time legal counsel, be sure to include the attorney or firm you have on retainer.  You may also want to document a local law-enforcement contact.  Plan ahead and make contact with a local or state law enforcement officer trained to handle cyber crimes.
3. Establish Security Controls – This is where you document the required security settings and processes to ensure your business operates within your risk tolerances.  If you are not subject to a compliance framework such as HIPAA, PCI-DSS, or others, the recommended starting point is the Center for Internet Security’s 20 Critical Security Controls.  You don’t have to adopt this document wholly, but it provides excellent controls to fit your risk and cost tolerances.  You should also consider non-technical controls such as proper storage of sensitive information, proper handling of mobile devices outside of company facilities, and use of company information systems for non-business purposes.
4. Document Consequences – As with any other requirements, these must also be enforced.  While many controls can be enforced through technical means and not easily circumvented, others must be enforced through manual processes and personnel sanctions.  This doesn’t have to be completely wrapped in punishment or discipline.  You merely want to reinforce the need for security and encourage employees to change any negative behavior.

Overall, keep it simple and concise – there is no need to make a novel out of it.  The harder it is to implement and enforce, the less likely it will succeed.  Make sure it fits within your business needs and culture.