E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is an organization that provides data security and network solutions to the state and local government of the US Virgin Islands. An executive summary is much more than just one sentence… Add much more detail here… I suggest you eliminate the executive summary and start with your introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase of implementing a security plan for use within the company. This began what began?? Add more clarity here… by hiring its first Chief Information Security Officer (CISO) for the sole purpose of creating a security program for IT purposes (Scalet, 2006). Initially, the efforts of this plan were focused on obtaining the proper staffing to provide support in the implementation of this plan. It is imperative to understand that the development of an IT Security Program is an ongoing process that is ever-evolving, and a shared responsibility (M.U.S.E., n.d.). By coordinating efforts with local, state, and federal government entities, this plan creates a comprehensive opportunity to address the need for such a plan. Due to the fact that this organization serves a small community, the planning process will mainly rely principally on informal relationships. The formalization of this planning process varies based on the frequency of a particular hazard and its impact on the community.
1.2 Objectives This plan is presented and lists a set of goals for oversight and program implementation.
A. Implement and maintain policies and procedures for data security. B. Implement and maintain procedures to test system resilience.
C. Implement and maintain education for employees regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an external and internal audit will be conducted to determine its competency (Entrepreneurs, 2011). What is the purpose of this section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the strategic plan ...
E’s Data Security Company Strategic Security Plan – 2015.docx
1. E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
2. 5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is
an organization that provides data security and network
solutions to the state and local government of the US Virgin
Islands. An executive summary is much more than just one
sentence… Add much more detail here… I suggest you
eliminate the executive summary and start with your
introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase
of implementing a security plan for use within the company.
This began what began?? Add more clarity here… by hiring its
first Chief Information Security Officer (CISO) for the sole
purpose of creating a security program for IT purposes (Scalet,
2006). Initially, the efforts of this plan were focused on
obtaining the proper staffing to provide support in the
implementation of this plan. It is imperative to understand that
the development of an IT Security Program is an ongoing
process that is ever-evolving, and a shared responsibility
(M.U.S.E., n.d.). By coordinating efforts with local, state, and
federal government entities, this plan creates a comprehensive
opportunity to address the need for such a plan. Due to the fact
that this organization serves a small community, the planning
process will mainly rely principally on informal relationships.
The formalization of this planning process varies based on the
frequency of a particular hazard and its impact on the
community.
3. 1.2 Objectives This plan is presented and lists a set of
goals for oversight and program implementation.
A. Implement and maintain policies and procedures for
data security. B. Implement and maintain procedures to test
system resilience.
C. Implement and maintain education for employees
regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency
response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an
external and internal audit will be conducted to determine its
competency (Entrepreneurs, 2011). What is the purpose of this
section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the
strategic planning for this organization will be integrated. How
so?? Explain…
2.2 Information Security Employee Responsibilities – All
employees will be required to complete an annual course on
security awareness. These courses, developed by FEMA will
serve to inform employees of their responsibilities for the
information within their purview (FEMA, n.d.). Additionally,
an in-house training program will be developed to ensure that
each employee has an understanding of how to fulfill their
responsibilities within their department.
2.3 Establish Oversight Authority for Information Security –
The heads of all the departments within this organization have
responsibilities directly related to security planning. The
unique characteristics of each department regarding their size,
programs, practices, and resources will determine their risk
environment. Once this information is obtained by any
department head, it is required that a formal notice of the
violation be given to the CISO for further investigation. The
CISO has the authority to enforce the requirements of the
information security policies. The CISO also has the authority
to authorize and/or implement new IT services, systems shut
4. down, or delegation of authority to a service provider or
department head that possesses the capability to remedy any
violations.
2.4 Establish Reporting Procedures for Leaders– The heads of
every department will serve as the initial point of contact
regarding any form of violation. It is imperative that these
individuals are informed so that the proper procedures are
implemented. Every department head is required to submit a
quarterly assessment and progress report of their department to
the CISO. Additionally, all information is to be reviewed by
the Security Advisory Committee (SAC), President and
Executive Committee on a regular basis.
2.5 Review of Pertinent or Sensitive Data– Data inventory will
be conducted by the department heads in conjunction with the
CISO. This data what data?? will be reviewed bi-annually,
categorized, and handled appropriately. Why is this
important??
2.6 Purge Unneeded Data – All sensitive data that is no longer
needed will be purged – while any required data more than six
months old would be archived according to organizational
policy. Any data that remains will be protected.
3 SYSTEMS ACCESS3.1 Implement badge system for staff
– An access card system will be implemented. All employees
will be required to utilize their issued cards to gain access to
authorized work areas. In addition, these cards are required to
be utilized to gain access to the network along with a 7-digit
security key.3.2 Implement policies and procedures for
badging system – The policies for the badging system will be
outlined during a training course prior to issuance.
3.3 Unauthorized Systems Access – The unauthorized access
to any system or restricted area within the facility will be
reported to the CISO, department head, and lead security officer
immediately. An investigation will be conducted into the
violation and as a precaution all key passcodes will be changed.
A comprehensive and detailed report will be submitted to the
5. President, Board, and Security team upon completion.
Additionally, a determination will be made on whether or not to
update the system firmware, etc. 4 SURVEILLANCE AND
SECURITY
4.1 Implementation of a surveillance system throughout entire
facility – In conjunction with the badging system, a
comprehensive surveillance system will be installed throughout
the facility for safety and security purposes. This service what
service?? will be provided by a third party company, Top Dog
Security. This system what system?? will include the
utilization of a CCTV system that will also be monitored by Top
Dog Security.
4.2 Integrate door locking mechanisms throughout the facility
– In an effort to further limit access throughout the facility, all
access doors will be outfitted with a key card access
mechanism.
4.3 Educate employees on cyber threats and trends – All
personnel are required to complete a training course on systems
security and cyber threats. Subsequent updates will be
disseminated via the CISO and/or department heads via email or
muster format. These updates will be based on current trends
and threats. 5 EMERGENCY SITUATIONS
5.1 Chain of Command - The most critical part of this section
is to notify the agency or organization who handles a specific
function required. For example, if there is a fire in the
building, the fire department will be notified immediately and
then the most immediately available manager. Subsequent
notifications will be made, as deemed necessary. A written
statement will be submitted via the chain of command within an
hour after the incident is addressed.
5.2 Communications plan – The standards for communications
are dependent upon the interoperability between responding
organizations. The process for managing incident information
will be outlined based on the individual departments.
6. 5.3 Safety and Security Drills - All drills will be followed in
accordance with the Emergency Operations Plan (EOP).
Specific guidelines for systems security will be outlined by the
CISO in conjunction with the department heads. These drills
will be conducted bi-annually and an after action report will be
completed to determine if any modifications are needed. 6.
SECURITY RISK MANAGEMENT
An integral part of any successful plan is risk management.
This is evident in all organizations, whether in the public or
private sector. The process of risk management is ever-
evolving and includes constant analyzing for controlling
security risks. Failure to mitigate security risks could be a
detriment to any department and could hinder its ability to
achieve its strategic goals.
7 REFERENCES
References
Entrepreneurs. (October 25, 2011). Five steps to a strategic
plan. Retrieved from web site:
http://www.forbes.com/sites/aileron/2011/10/25/five-steps-to-a-
strategic-plan/
FEMA. (September 16, 2014). 2014-2018 FEMA strategic plan.
Retrieved from web site: http://www.fema.gov/media-
library/assets/documents/96981
M.U.S.E. (n.d.). Sections and components of strategic plans.
7. Retrieved from CTU Online – Phase Materials.
Scalet, Sarah D. (March 1, 2006). A 13-point plan for starting a
strategic security group. Retrieved from web site:
http://www.csoonline.com/article/2119643/strategic-planning-
erm/a-13-point-plan-for-starting-a-strategic-security-group.html
Strengths: Overall, you did a good job with your IP 4; A good
description of the data security company; I would have liked to
have seen you add overall economic impact of significant
damage to a major business to the local economy in the event of
a critical incident; I liked that you used several good sources
and that is a strength to continue going forward in future
classes;
Opportunities for improvement: Do not forget to consider other
threats outside of natural disasters within your core components
of the strategic plan in greater detail; Are there any definitions
or acronyms that could be explained in your plan?? What about
collaborative partnerships? The plan should designate various
agencies and roles and responsibilities such as the State Fusion
Center that can provide information sharing, crime trends and/or
threats; Any annexes that you would consider?? Remember,
annexes are supporting documentation for specific contingency
and part of a plan; A few minor grammar errors; pretty good
organization and your paper flowed nicely as previously
mentioned; I did not see that you followed the template
provided for you in the classroom that highlighted areas such as
a purpose, scope, and terms section as part of the introduction;
The main concept was to focus in on one particular site to draft
a site security plan for that entity;
Additional Comments: To achieve security and resilience,
critical infrastructure partners must collectively identify
priorities, articulate clear goals, mitigate risk, measure
progress, and adapt based on feedback and the changing
environment; The community involved in managing risks to
8. critical infrastructure is wide-ranging, composed of partnerships
among owners and operators; Federal, State, local, tribal, and
territorial governments; regional entities; non-profit
organizations; and academia. Managing the risks from
significant threat and hazards to physical and cyber critical
infrastructure requires an integrated approach across this
diverse community;