Writing a basic security plan is a must for all businesses, regardless of size. For small businesses, an essential security plan will take a few hours to draft (8 to 10 hours), and write up an inventory list (2 or 4 hours), and after that come up with relevant checklists to update and recovery should take you a few more hours (4 or 5 hours).
Note: Writing relevant information security policies, procedures, and processes draft-documentations to satisfy ISO 27001 requirement is no proportional to the size of your organization and will take a few dedicated days (4 or 5 days), and few weeks to refine.
Here’s how a small business builds its working cyber security plan. Large companies have more complex needs requiring a more sophisticated strategy and beyond the context of this article, contact me with you need assistance with your needs.
You don’t need to be an IT security expert to get the job done. If you can run an application like LibreOffice to edit a document and browse the web, you already know enough to protect your organization at a basic level, no black magic involved. Investing in cybersecurity delivers a considerable return on investment, always. Using the FCC Cyber Security Planning Guide, you can create a simple cybersecurity plan for your organization. The first draft of your cyber security plan doesn’t have to win a Pushcart Prize award, but make sure that it’s not a Flannery O’Connor Award For Short Fiction. It does it need to run hundreds of pages with chapters of fine details. Your plan needs to outline the threats you likely face, establish sound policies, procedures, and processes, with clear responsibilities for taking action.
The best security plans are simple, but they demand that everyone involved be proactive and vigilant about security. Everyone concerned should take note of which policies, processes, and procedures are working and which need to be polished, changed, or just thrown out. It’s all about involving everyone and validating your collective knowledge required to be in charge of your cyber security.
Identify and understand your risk, start by listing all your digital assets, such as emails, work files, financial records, employee information, business and project plans, schedules, clients’ data, contracts, and any other information you want to protect.
Before you can protect anything, it is essential to figure out how to achieve your goals by taking inventory of all your assets that contribute to your business and security. For many companies, this may include objectives such as:
- Protecting your all your data, like:
- Customer sales records
- Customer credit card transactions
- Customer mailing and email lists
- Customer support information
- Customer warranty information
- Patient health or medical records
- Employee payroll records
- Employee email lists
- Employee health and medical records
- Business and personal financial records
- Marketing plans
- Business leads and inquiries
- Product design and development plans
- Legal, tax and financial correspondence
- Meeting your regulatory and legislative obligations;
- Show your suppliers and clients that you are proactive with your security, implementing and complying with best of bread standards from the ISO, NIST, and many others.
List your employees and allocate a cyber security task to every person: for example,
- Responsible for overall cyber security, Information Security Officer;
- Accountable for all security-led technical changes, the person most comfortable with software and hardware;
- Responsible for scheduling and managing updates and checks, everyone with a team leader.
- Moreover, everyone must acknowledge that they are liable for ensuring they understand the risks such as email scam and malware threats, and the need to be vigilant while in cyberspace.
Other things you have to account for with your cybersecurity policies, procedures, and processes like:
- Accidental damage, like dropping a tablet and breaking the screen,
- Technical failure, such as the death of a vital server,
- Natural disasters such as earthquake, flood, and fire,
- Crime, like, a break-in at your premises,
- External risks like malware attacks and industrial espionage,
- Employee negligence, such as unintentional file deletion,
- Employee misconduct, like, stealing customer data.
Using NIST SP 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations you can formalize your security controls to help you manage your risks and figure out which people will manger those risks best. NIST SP 800-53 and ISO 27002 will help you decide everything you need to make necessary plans about how to select controls to mitigate the risks. If you are a Microsoft Windows user, in your efforts to detect, update, recover, and practice safe computing your controls might include things like:
- Ensure that all our mail gets swept for viruses, archived, and kept secure;
- Use digital signature and encryption certificates
- Encrypting and moving your data to a central file server;
- Stop staff from storing information on their local computers;
- Backup vital encrypted data every day, with local copies and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
- Encrypt and store critical customer and business information locally and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
- Use TNO computing (Trust No One, segmentation networking) where only people working on a given project will have access to that project’s files;
- Enforce TNO computing and restrict access to business information like clients’ accounts and payroll to need to know only;
- Set BitLocker or GNU Privacy Guard or AxCrypt on all your computers to protect your data against loss or theft;
- Security-marking every piece of equipment (PC, server, laptop, tablet, mobile phone, and so on);
- Have a third party conduct an annual audit of your physical security, locks, and alarms;
- Update your security policies, procedures, and processes yearly and train all new staff, without exception;
- Hold a refresher course to ensure everyone in the company is familiar with security policies, procedures, and processes changes;
- Spot-check regularly to ensure staff take security seriously and follow established protocols.
It’s a reasonably straightforward exercise, but even a basic cybersecurity plan can save you a world of pain. To ensure the integrity of your cybersecurity plan and its policies, procedures, and processes it is wise to employ a third party to audit your cybersecurity as a whole or to merely help you implemented it, documentation, controls, et al.
You will find helpful links in the FCC Cyber Security Planning Guide.
Guide to Developing a Cyber Security and Risk Mitigation Plan – NRECA / CRN, https://www.smartgrid.gov/files/CyberSecurityGuideforanElectricCooperativeV11-21.pdf
Cyber Security Planning Guide – FCC, https://transition.fcc.gov/cyber/cyberplanner.pdf (accessed February 18, 2019).
Cyser Security Bulletin T#): Scams And Frauds – US Army, https://www.army.mil.ph/home/pdf_files/Cyber_Bulletin/Cyber%20Security%20Bulleti (accessed February 18, 2019).
Cyber Security Planning Guide – Homeland Security | Home, https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%20Plann (accessed February 18, 2019).