Characteristics of a Good Information Security Plan

If your core business functions are keeping you busy, it's difficult to focus on building a defensive plan for your company's data. Here are some tips:

April 08, 2016 by Andreas Krebs

Three Components of a Successful Information Security Plan You Shouldn't Count Out


it security planDo you have your security priorities all wrong? A 2014 study by Dell reports that over 75% of respondent organizations admitted to security breaches over the past year, but less than 20% prioritized the prediction and management of previously-unknown threats.

“Organizations are being more reactive than proactive with their IT security resourcing,” the report states, “reacting to big IT trends, rather than spending money protecting the organization from unknown threats before suffering a breach.”

It's understandable in hindsight: if your core business functions are already keeping you busy at all hours, it's difficult to focus on building a defensive plan for your company's data. But with the constantly changing nature of today's security risk, you need to prioritize that security plan, or else.

Luckily, you don't have to take the burden all on yourself. An IT outsourcing services provider can build and maintain your security plan for you, allowing you to focus on building your core business.

A national IT outsourcing services provider like All Covered can get you started on understanding the threats to your enterprise and help you plan a response. Together with your services provider, you can ensure that your company's intellectual and financial assets are well guarded, ideally behind several layers of protection that cover different elements of your network, including email, devices, and user authentication.

Even with an outside provider picking up the slack, you need to be on the same page vis a vis threats and responses. The success or failure of your security plan may hinge on your ability to collaborate with your service provider on the following crucial elements:

Understanding, prioritizing your threats. At the outset, you and your services provider need to perform a risk assessment that identifies particular threats; evaluate weaknesses and the potential for damage; define responses; and build a plan to fix the weaknesses and respond to threats.

Pay special attention to the vulnerabilities you find, as they may turn out to exist not just in your technology, but in your processes and particularly your people as well. Sometimes social engineering tricks can overturn even the most well-thought-out defenses, like “found” USB sticks that load ransomware onto unsuspecting users' computers.

Getting the whole company to sign in. “Enterprise security is a cross-departmental problem that affects many different stakeholders,” explains Elizabeth Lawler, CEO and Co-founder of security company Conjur, Inc. “Everyone from the C-suite to Operations, Development, and Security needs to be on the same page before any action takes place.”

In short, the days when information security was the sole concern of the IT department are over. Information security is now everybody's business: an effective security plan requires everyone's involvement in an organization-wide effort. This collaboration can be enforced through internal audits that review security policies and procedures; and by getting individual departments' agreement on higher-level security planning.

“Your organization’s security requirements need to be carefully outlined and agreed upon while aligning with each department’s strategic goals for the year,” Lawler explains. “Approach these discussions with a sense of collaboration and without any confrontation.”

Compliance with regulation. The growth of regulatory requirements has led some companies to take risks with their compliance. “Everybody tries to figure out how much risk they can assume without being embarrassed or caught,” explains David Taylor, Protegrity's VP for data security strategies. “The people I regularly talk to are trying to figure out if [their security] fails, what’s the smallest amount they need to do to stay out of trouble and how they can blame someone else.”

Outsourcing your security plan can help you stay grounded. Outside services providers can serve as a third party that dispassionately ensures your security plan's compliance with regulations that govern your industry, such as the Sarbanes Oxley Act for publicly-held companies, the Gramm-Leach-Bliley Act for financial services providers, and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers.

When you're good and ready to build your security plan, All Covered is here to help. Our goal is to protect your company’s data by implementing a solid IT infrastructure. Learn more about how your business can protect its IT environment and data; contact us today at (866) 446-1133 for more information or to schedule a consultation.