In order to create an information security plan, a document must be created that clarifies what protective measures must be taken in the area of IT used in an organization.
Once there is an overview of these protection measures regarding the IT infrastructure, we start step by step with the following points;
-
Identify the people who have interests in your organization.
What people are involved in the established security plan such as the IT person whether they work internally or externally or the IT manager. Also define the role they have in the security plan so people know who has what authority. Identify the people involved in your security plan. Be sure to determine who is responsible in the event of an incident.
-
Determine what needs to be secured.
To determine just what needs to be secured, a list of where the data is kept, what networks are in use and what servers are active must be made. When this list is complete, we can determine which are the most important data. This data can reside on a server, in the cloud and also, for example, on an ERP or CRM system or it can also be on an e-mail server.
Extreme attention must be paid to “special personal data” such as patient data or financial data.
-
What systems of security to apply?
Here we check whether the equipment of security in use by the organization is sufficient to ensure optimal security. This is where the information security plan comes into being. By information security or cybersecurity, we mean equipment such as anti-malware applications, how backups are made, what type of firewall is used and whether we use VPN connections.
-
Take measures to recognize security breaches.
Establishing breaches also requires measures for recognizing a threat or attempted hacking. You can monitor your network in various ways or install software that automatically sends out alerts when irregularities occur such as detection of DOS attacks, phishing attempts, recognizing login credentials that have been compromised or brute-force attacks….
-
Determine optimal working methods.
Most mistakes can be prevented by proper awareness of internal staff because a data breach does not always have to come through the IT infrastructure because human error can happen. Establishing internal usage guidelines so that personnel are well-informed can go a long way toward preventing violations. In doing so, guidelines must be followed and monitored. The use of MFA (multi-factor authorization) and unique codes per controller set by the privacy officer is already a good start. Also note in the information security plan that employee do not access the company’s WIFI network with their own devices, but create a guest wifi network for this purpose.
-
Establish security procedures.
Procedures such as knowing what the do in the event of a data breach or an attempted break-in to steal personal data should be made up. That way, the person who identifies a breach immediately knows what action to take such as alerting the security consultant or an internal contact number. Also establish instructions for employees when a data breach is identified so that the problem or attempted problem can be adequately addressed.
-
Conduct an audit on a regular basis.
Any system can be hacked, even if only by a disgruntled ex-employee who can still make a connection. Therefore, an audit should be performed regularly, both on business operations and on IT infrastructure and the use of communications. Vulnerabilities can also be identified during these audits, creating a new
PDCA cycle
can be drawn up. -
Provide information security training to your staff.
Better prevention than cure is a known fact not only in IT security. Organize regular information days for staff members and educate them on the dangers and practices of security, whether offline or online dangers. A forewarned man is worth two! Clicking through on suspicious emails can already pose a great danger to your organization.
-
Continue to monitor the information security plan.
Hackers are inventive people and make it a sport to constantly create new means of stealing information. For this reason, the information security plan must be constantly monitored and renewed. Appoint a person in charge to monitor and communicate these threats to all employees. If you are very hands-on with your corporate security, you may be able to write this document with very little input from other stakeholders. However, if you depend on an IT service provider for managed cybersecurity, you may need their help in creating your plan.
