Your security plan

An IT security plan is a key tool to help your business protect its IT systems. Your security plan should state how you will guard against security vulnerabilities to protect your business from disruption and financial loss.

Effective security risk assessment

A security plan allows you to understand what security vulnerabilities are present in your IT systems. You can then prevent these problems occurring.

Your security plan doesn’t have to be a long document covering all conceivable security vulnerabilities. But it should help you protect key business data and systems and ensure you adhere to relevant legislation, like the Data Protection Act.

Additionally, the more complex your business IT system is, the more security vulnerabilities you will face. A formal security plan is the most effective way to manage these. It makes you less likely to overlook any gaps in your defences.

Writing your security plan

There are several stages to writing an effective security plan:

1. Identify your IT assets. These are the hardware, software, systems and data which make up your IT system. They can include computer programs, servers and external services like web hosting.
2. Carry out an IT security risk assessment. Establish what could threaten your assets. For instance, computer viruses, hackers, physical damage or mistakes by employees. Consider the damage that could be caused in each case. For instance, if your server was taken offline, could your company continue to operate?
3. Prioritise your protection. Once you’ve assessed the potential damage from each threat and the likelihood of it occurring, you can decide what it’s most important to protect against. For example, you might determine that protecting your server is more important than protecting individual computers.
4. Take appropriate precautions. Decide what steps you should take to protect against the risks you’ve identified and ensure your business is able to keep operating if something goes wrong. For example, you might restrict access to your server or install a hardware firewall. Your disaster recovery plan should explain what to do in a crisis.

It can be hard to spot all security vulnerabilities if you’re not an IT expert. Your IT supplier or an external consultant may be best placed to cast a critical eye over your systems and procedures.

Keep your security plan pragmatic. It should explain practical steps your business can take to guard against security vulnerabilities. If it can’t be put into action, a security plan is largely useless.

Reducing security vulnerabilities

Once you’ve written your security plan, you should implement its recommendations in your business:

• Communicate the plan to your staff. Make specific employees responsible for specific areas. Ensure they have the time and resources to make the recommended changes to your IT systems.
• Create IT policies and run training. Amend your IT policies so they are in line with your security plan. If necessary, run training so your staff understand how to minimise security vulnerabilities.
• Set a timeline for the implementation of the measures in your plan. Remember that it may take longer to make big changes to your systems.

Maintaining your security plan

The information security risk to your business is constantly changing, so you should regularly review your security plan. Keep up-to-date with emerging security vulnerabilities by signing up to bulletins from security companies.

If you make changes to your IT system or invest in new hardware or software, always review your security plan. Aim to identify any new security vulnerabilities.

Also review your policies and procedures 9 – 12 months after putting your plan into action. And put someone in charge of your security plan, so there’s no chance of it being neglected.

More about your security plan:

• Q&A: Writing your disaster recovery plan
• Perform an IT security risk assessment