IT Security Plan

IT security planDeveloping an IT security plan can be a daunting task. Systems vary in complexity and scope. There are many common issues one can expect to face when developing a security plan and a strong plan is comprehensive, taking all relevant factors into account. This is a short guide to drafting and implementing a comprehensive plan, covering what considerations must be taken into account including risk assessment, employee education, access control, proper company system usage etiquette, balancing efficiency and security, and the prioritization of business assets and data to be secured.

Sponsored Research on IT Security Planning and Related Topics

Asset Identification and Assessment

The first step in developing a IT security plan is to understand the data one is securing and the role it plays in the business. To accomplish this it is essential that the IT side of the company and the business side of the company work together to determine the value of each type of data to be secured and thus the level of security accorded to each. Once this is determined one can formulate a strategic plan for securing data of varied levels of sensitivity.

Threat Assessment

The second step is to assess every possible threat posed to data from every angle. This includes the human factor, both non-malicious threats such as employee ignorance or carelessness and malicious threats which includes external attackers such as crackers and internal attackers such as disgruntled employees. Natural disasters and threats, including fire, flood, earthquake, tornado, hurricane and all such manner of possibilities must also be taken into account. Risk to data does not consist simply of theft but also destruction, whether that be accidental or intentional deletion of data, or destruction of data through natural causes or software bugs.

Pro-active and Reactive Planning

The varied nature of threats requires that two methods of security be implemented, pro-active and reactive. Pro-active security involves controlling account access to sensitive data on a need to know basis, proper encryption of stored data, strong policies controlling employee use of e-mail and the internet, the proper delegation of responsibilities among technical staff, hardened password policies and the education of employees to aid them in understanding the security system and the necessity of all policies. Reactive security on the other hand involves backing up sensitive data in a safe and secure fashion that is readily accessible in case of emergency. In addition to backing up data frequently emergency repair discs should also be used to ensure the quick and secure recovery of a compromised or broken system.

Non-Technical Security Threats

It is also important to understand that threats to data security are not purely technical. Companies rely on the vigilance of their employees as much as the prowess of their technical staff. Social engineering is still a popular and effective attack employed by any number of attackers. Strong technical security measures will tempt attackers to exploit the human factor and gain access to systems through careless or clueless employees; this makes employee education another integral component of strong security. Systems in place should be such that no employee should under any circumstances be asked for their password by another employee. One favorite social engineering tactic is to pose as an IT worker and simply ask an employee for their password, or even just attempt to look over their shoulder as they enter the password, negating all of the air tight password policies in place. In order to prevent this sort of attack, employees should be assured that under no circumstances whatsoever are they supposed to share their password or account access and information, indeed that they should immediately report any attempt by anybody to elicit that information from them. Computers can also be compromised by phishing scams if an employee invites outside malware onto the network from their personal email accounts. Thus strong implementation and enforcement of policy involving the use of personal email or the internet for personal reasons is necessary. Remote access to the business network should also be tightly controlled. Remote access programs should be reviewed consistently for security risks and it is strongly advised that remote access be limited to company devices that are consistently swept for viruses and malware as employee personal computers present a host of security risks.

Overcoming Obstacles to Implementing an IT Security Plan

One of the greatest obstacles to the implementation of a strong security plan is a lack of cooperation between the business and IT sides of a company. The business side of the company is concerned with profit and therefor efficiency. The IT side of the company is concerned with security, and proper security measures can lower the efficiency of employees. This makes it vitally important that the business side of a company be involved with the development of a security plan on some level. Involvement increases the understanding of the security threats posed and re-enforces the necessity of strong security policies to the management. Understanding security is important on every level. The business management side of the company is less likely to oppose certain security measures if they better understand the importance of said measures. The employees are more likely to follow security protocol closely if they understand what a vital role their vigilance plays in the security and well being of the company.

Gradual, Effective Implementation

In this day and age it is unlikely that an IT security professional will find themselves designing a security plan from the ground up. If you are working for an existing company, IT security policies may already be in place making the implementation of new or different policies more difficult as it requires employees to learn a new way of doing things. The sudden, broad implementation of a new plan can be disastrous if the employees do not understand what is going on. Thus it is a good idea to implement new policies and procedures gradually, beginning with those most vital to securing the most important data. A gradual implementation allows employees to be educated gradually as the new system is implemented instead of being inundated with new policies, information and procedures all at once.

Example IT Security Plan Outline


Below is a basic outline detailing the fundamental areas which should be covered by any comprehensive security plan. Each company has its own unique needs; this outline’s intention is to provide a starting point. Any comprehensive security plan should take into account a company’s unique needs, restrictions, resources and other considerations.


1. Asset Identification

1A. Physical Assets

  1. Sensitive Data
  • Confidential Data
  • Private Data
  • Public Data
  1. Computers, Tablets and Wireless Devices
  2. Backups and Data Archives
  3. Employee Information
  4. Customer Information
  5. Commercial Software

1B. Non-Physical Assets

  1. Passwords
  2. Company Reputation
  3. Confidentiality


2. Risk Assessment

2A. Human Factor

1. Malicious External

  • Malware
  • Worms
  • Network Penetration
  • Social Engineering
  • Denial of Service
  • Password Cracking

2. Malicious Internal

  • Unauthorized destruction or modification of data.
  • Data Theft
  • Attacks against company reputation
  • Social Engineering for Passwords

3. Non-Malicious

  • Hardware Misuse
  • Software Misuse
  • Accidental Deletion of Data
  • Revealing Sensitive Data Through Discussion
  • Hardware Failure
  • Software Bugs or Glitches

2B. Natural Factor

  • Power Outage
  • Fire
  • Flood, Tornado, Hurricane, Earthquake


3. Pro-Active Planning: Security Policies

3A. Password Policies

1. Administrative Responsibility

  • Maintain Password Database
  • Assign Strong User Passwords
  • Change User Passwords On a Regular But Unpredictable Basis
  • Require Periodic Authentication During the Work Day
  • Limit Login Attempts to Prevent Cracking

2. User Responsibility

  • Memorize Passwords
  • Never Share Password Information (with anyone, even IT staff)
  • Report Suspicious Activity on Account

3B. Email Policies

3C. Internet Policies

  •  Company Use
  •  Personal Use
  •  Social Networking
  •  Browsing Habits

3D. Backup Policies

1. Regularly Scheduled Backups

2. Determine Best Backup Types

  • Standard
  • Incremental
  • Differential

3. Information to Be Backed Up

4. Type of Storage Used for Backup

  • Hard Drive
  • CD-Rom
  • Cloud Storage

5. Onsite Backup Storage

  • Store Data Backup in Fireproof Safe
  • Safely Store Critical Software

6. Offsite Backup Storage

  • Cloud Storage
  • Specialized Data Storage Company
  • Safe Deposit Box

4. Reactive Planning: The Contingency Plan

4A. Moving Productivity to a Temporary Location

4B. Disaster Recovery Plan

4C. Notification of Relevant parties

  • Vendors and Consultants
  • Client Notification Procedure
  • Investor Notification Procedure
  • Employee Notification Procedure

4D. Develop Drills to Test Emergency Procedures


5. Employee Education and the IT Security Plan

5A. Threat Education

  • Threat of Malware
  • Threat of Social Engineering
  • Threat of Sabotage
  • Employee Threat Response Protocol

5B. Employee Security Procedure Education

  • Importance of Employee Vigilance
  • Security is a Team Effort
  • Impact of Negligence on Company
  • Impact of Negligence on Individuals

5C. If You Don’t Know, Ask

  • Teach Employees to Ask the Right Questions
  • Encourage Asking Questions
  • Ask Questions Before It’s Too Late


IT Security Plan Checklist:

  • Identify Assets
  • Assess Risks
  • Formulate Pro-active Security Policies and Procedures
  • Formulate Reactive Emergency Plans
  • Develop Employee Education Curriculum



In closing, the design and implementation of an IT security plan presents many unique challenges. The most important thing to keep in mind is that security is only as strong as the weakest link. It is vital to take all aspects of the business and its workings into account when developing a security plan.