Securing your data takes more than the latest security software. It also takes sound management and an informed team. These days, it takes a comprehensive, disruptive approach to information security to secure all your business assets. Cyberspace is about as vast a territory to protect as any, which makes creating an information security plan no small task. This guide is here to help.

1. 1
NINE STEPS TO CREATING
A WORLD-CLASS INFORMATION
SECURITY PLAN
Securing your data takes more than the latest security software. It also takes sound management
and an informed team.
Protecting what we own in cyberspace has evolved to become one of today’s top business
challenges. That’s mainly because assets are no longer just physical, as they were 150 years ago.
Security is no longer a matter of just rounding up the cattle and putting a fence around the herd.
Now, there are digital assets to protect, too.
Lawyers won’t help you much, either, when it comes to data security. They may argue your case
in court or pursue those who infringe on your digital property, but they can’t do much to shore
up your data vulnerabilities. No matter how thickly your organization pads itself with teams of
lawyers, it won’t do much to protect your digital assets from the threats that loom in cyberspace.
These days, it takes a comprehensive, disruptive approach to information security to secure
all your business assets. Cyberspace is about as vast a territory to protect as any, which makes
creating an information security plan no small task. This guide is here to help.
A Guide to Protecting Your Assets in the 21st
Century
The interdependence of technologies makes for an incredibly diverse and complex world. This
world includes telecommunications, computer networks, and the quickly-growing sub-world of
connected devices.
This guide is for business owners, CISO’s, IT managers, and others who seek to create an
information security plan. It’s also designed to give leaders an idea of the landscape. Only by
seeing the big picture can leaders and managers prioritize their decisions.

2. 2
Grasping the Information Security Landscape
A good security plan focuses on the most serious threats at hand while also incorporating a plan
for the future integrity of valuable assets.
Before you create your plan, it’s important to understand what you’re up against. Threats come in
many forms, both hostile and negligence-based. They range from catastrophic events like all-out
attacks on your company’s infrastructure, to cyber espionage, to leakage of intellectual property.
It’s that last threat, which can arise from inadvertent carelessness or from wilful theft, that poses
one of the greatest security challenges today. The reason is clear: this type of security threat
is employee-based. This is one reason why today’s security challenges must involve sound
management. Training, oversight, and communications are key in this regard.
As you can see, an information security plan must involve a plan for management as well as a
structure for technology mandates.
What follows is a five-part plan for businesses to protect their electronic assets. A 2015 Ponemon
Institute study found that the average cost of a data breach to companies surveyed was £2.95
million, up 23 percent over the previous two years. The time to start your security plan is now.
Step 1: Know What You’re Protecting
Your cyber assets can be divided into two categories:
1. Data. This is your intellectual property, your customer records, your inventory database, your
bookkeeping, your employee data
2. Systems. This is your website, your CMS, your online shopping cart, your security system for
your building, your health & safety management system, your patient monitoring system, etc,
depending the type of business you have
Step 2: Know Where the Threats Come From
Vulnerabilities for both types of assets stem from both technical and human sources. If your
firewall isn’t strong enough or configured correctly, or if you don’t have one at all, that’s a
technical issue. If your employees fall for phishing email scams, there’s your human vulnerability.
Again, cyber security is not just a technical issue—it’s a management concern, too.
On the other hand, if your employees are accessing company systems on unsecured devices, that
poses both technical- and human-based threats.

3. 3
Step 3: Understand the Scope of a Good Plan
Companies who understand that information security plans need to be cross-departmental, as
well as top-to-bottom, will ultimately be more successful in protecting their assets.
Gone are the days when companies could simply rely on their IT departments to put up a firewall,
install anti-virus software, and be done with it.
Security is no longer the sole domain of the IT department.
Creating and managing a successful data security plan takes, first and foremost, an informed
vision from top leadership. Only through solid and consistent messaging from the C-suite will
management be able to inject a security-minded culture at every level in an organization.
In other words, it’s great if managers understand how to protect data and systems, but for a plan
to work, everyone has to work together. That includes team leaders and team players, right down
to the new hire who’s about to access the company intranet on his own phone.
Step 4: Conduct an Audit
It’s hard to devise a customized, comprehensive plan for security without first conducting an
audit. The best person to conduct a security audit is someone with security experience. Your
firm’s security is still your own responsibility, however, so it’s good to know how to conduct a
basic audit yourself.
Leaders can begin the process by taking stock of the following:
• data and systems that could be at risk
• offline systems which are at risk via USB ports etc
• assets shared or held outside your organization—by vendors, contractors, etc
The scope of an audit depends on your organization, your goals, and the industry you’re in.
Banking, for example, requires regular, third-party audits to ensure compliance with federal and
industry regulations.
If you’re a small business, chances are your audit can be completed in an afternoon and you can
set your own benchmarks.
Step 5: Prepare a Risk Assessment
With the list of assets you’ve made in Step 4, now it’s time to assess the level of risk for each item
on your list. Go down the list you made:
• What is the likelihood of an attack on each item in your security audit?
• What types of vulnerabilities are attached to each asset?

4. 4
If you have a team, gather them and do some brainstorming on the risks your assets face. Then,
begin to attach value to the risks.
• What is the financial risk?
• How about the risk to your brand’s reputation if assets are compromised?
In your brainstorming session, make sure to include conversations about the motivation for
malicious cyber-attacks. That’s going to be tied to the value of the assets but also to the type of
risk involved. In other words, customer data may have street value but your company’s website
has competitive value. If your website goes down, who benefits? Try to cover all the risks from all
angles.
Finally, do you already have a security policy? If so, your assessment serves to test how well that
policy works in real life.
Step Five: Categorize Your Assets
Based on the audit and the risk assessment, you’ll be able to divide your assets into two
categories:
1. those which require basic protection such as best practices
2. those which require more aggressive measures of security
The second category of assets may require outside services for protection, or more internal
resources, or both. For instance, you may need to dedicate more employee time to protecting
these assets. Perhaps some assets require an upgraded security management regime so training
would be in order for some employees.
Step Six: Assign Responsibility
It’s important to assign responsibility for information security at your company.
According to recommendations outlined in a McKinsey white paper on managing cybersecurity,
there are three areas of responsibility to account for:
1. Technology. Technical capability is essential for countering cyber-attacks and for minimizing
vulnerabilities. Therefore, technical spending is largely considered a must if you’re going to
be running a business these days. Companies should be well-versed in security best practices.
These can include limiting access to employees on a need-to-access basis, for example.
2. People. This is key, especially as bring-your-own-device policies expand the range of
hardware that’s accessing company assets. Clear procedures need to be spelled out and
communicated with all employees. Training is a huge component of taking responsibility for
the ‘people’ aspect of IT security. Testing your employees for compliance with policies should
be considered, too.

5. 5
3. Processes and procedures. If attacks do happen, there should be clear procedures in place
for handling them. Leaders need to know about attacks as soon as they happen so they can
galvanize their teams to respond properly. This includes not only making sure everyone at
your company knows about attacks, but also understands how they happen, and learns how to
protect against them.
Step Seven: Establish Your KPI’s
You’ve assigned responsibility for various aspects of cyber security. Now, how do you manage
those roles? You’ll need a basis for checking performance, so your next step is to establish the
key performance indicators (KPI) for each of the three areas of responsibility outlined above.
1. KPI’s for Technology. These are perhaps easiest to determine. Is your software updated? How
long does it take for everyone in your organization to update their software after the update
has been released?
2. KPI’s for People. Has everyone completed their security training? Has everyone read the
guidelines and signed off on them? Is everyone practicing safe email operation? Are personal
mobile devices being used for work purposes? If so, does that violate your policy? If it’s
allowed, do all personal devices adhere to security standards?
3. KPI’s for Processes and Procedures. Is the data your company handles suitably encrypted?
Is your website secure? If you operate using cloud services, is your system secure? Is data
segmented properly?
Step Eight: Set Up a Management Review Process
KPI’s don’t help you much if nobody’s checking up on them. Establish a regular, routine review
process. Managers, using KPI’s and a benchmark, should submit assessment reports for their
departments.
Step Nine: Get Your Contingency Plan in Place
If your organization does experience a major security attack, what will you do? Preparing for this
outcome is similar to preparing for any Environmental, Health, and Safety (EHS) incident. You
enter three phases of response:
1. crisis management
2. recovery
3. incident reporting
For crisis management, how will you react when something happens? Plan how you’ll
communicate with employees and stakeholders. Then plan how you’ll approach your system
response. Will you take your website offline if you suffer a DDOS attack?

6. 6
Recovery will undoubtedly involve your IT people, whether they’re in-house or contracted.
You’ll want to repair any damages to data and systems, then plug up the ‘hole’ that caused the
vulnerability, then restore your system back to normal operation.
However, you manage this last component (recovery), make sure it’s fast. The longer you wait, the
more exposure you have to attacks.
Finally, you’ll want to draw up something akin to an incident report. Reporting on the
circumstances that led up to the attack or the breach can prove to be valuable data when you’re
revising your security plan. It’s also helpful for when you’re looking for ways to prevent future
attacks.
You may also need to report to stakeholders. They’ll want reassurance that you understand the
attack or the breach, so it’s less likely to happen again.
Conclusion
The bottom line is that every organization, no matter how small, has digital assets that are
vulnerable and need protecting. Whether it’s via malicious hackers or careless employees, your
company’s assets are at great risk if you don’t have an information security plan.
The steps outlined in this guide are simply a template for getting started with your plan. Every
organization maintains its own set of unique digital assets and has its own set of vulnerabilities.
While companies face similar cyber threats, each has to develop its own, specialized plan for
security. The policies you create should be aimed at the employees you have, to protect the
assets you hold, not those of some other organization.
We hope this guide has given you a foundation for creating your own information security plan—
one that carries you through the coming years, and which will be adaptable as the threats evolve
and your business grows.

7. Contact your Bright representive today for more information:
333 Latimer Rd, London W10 6RA | 020 3031 9500
sales@bright.co