In order to create an information security plan, a document must be drawn up that clarifies which protective measures must be taken in the area of IT used in an organization.
Once there is an overview of these protection measures regarding the IT infrastructure, we start step by step with the following points;
Identify the people who have interests in your organization.
Which people are involved in the established security plan such as the IT person whether they work internally or externally or the IT manager. Also identify the role they have in the security plan so people know who has what authority. Identify the people involved in your security plan. Be sure to also determine the person responsible in case an incident occurs.
Determine what needs to be secured.
In order to determine what exactly needs to be secured, a list of where data is kept, what networks are in use and what servers are active must be made. Once this list is complete, we can determine which is the most important data. This data can reside on a server, in the cloud and also for example on an ERP or CRM system or it can also be on an e-mail server.
Extreme attention should be paid to “special personal data” such as patient data or financial data.
Which systems of security to apply?
Here we consider whether the equipment of security in use by the organization is sufficient to ensure optimal security. This is where the information security plan comes into being. By information security or cybersecurity, we mean equipment such as anti-malware applications, how backups are made, what type of firewall is used and whether we use VPN connections.
Taking measures to recognize security breaches.
To identify breaches, measures must also be taken to recognize a threat or attempted hack. You can monitor your network in various ways or install software that automatically sends out alerts in case of irregularities such as detection of DOS attacks, phishing attempts, recognizing login credentials that have been compromised or brute-force-attacks.
Determine optimal working methods.
Most breaches can be prevented by raising awareness among internal staff because a data breach does not always have to come through the IT infrastructure because human error can happen. Setting up internal usage guidelines so that staff are well informed can prevent many breaches. In the process, the guidelines must be followed and monitored. The use of MFA (multi-factor authorization) and unique codes per controller, set by the privacy officer, is a good start. Also note in the information security plan that employee are not allowed to access the company’s WIFI network with their own devices, but create a guest wifi network for this purpose.
Establish security procedures.
Procedures such as knowing what the do in the event of a data breach or an attempted break-in to steal personal data should be made up. That way, the person who detects a breach knows immediately what action to take such as alerting the security consultant or an internal contact number. Also prepare instructions for employees when a data breach is identified so that the problem or attempted problem can be addressed appropriately.
Conduct an audit on a regular base.
Any system can be hacked, even if only by a disgruntled former employee who can still connect. Therefore, an audit should be performed regularly, both on business operations and IT infrastructure and use of communications. Vulnerabilities can also be identified during these audits, allowing a new PDCA cycle to be drawn up.
Provide information security training to your staff.
Prevention is better than cure in IT security. Organize regular information days for employees and inform them about the dangers and practices of security, whether offline or online. A well-warned man is worth two! Clicking through on suspicious emails can already pose a great danger to your organization.
Continue to follow the information security plan.
Hackers are inventive people and make it a sport to constantly create new means of stealing information. For this reason, the information security plan should always be monitored and renewed. Appoint a person in charge of monitoring these threats and communicating them to all employees. If you are very hands-on with your corporate security, you may be able to write this document with very little input from other stakeholders. However, if you rely on an IT service provider for managed cybersecurity, you may need their help in creating your plan.
