Keep It Secure: 7 Crucial Steps to an Information Security Plan

As data privacy and security law and regulations evolve and develop, it is critical that every company and organization understand and appreciate the obligations that come from having people’s personal information. If you’ve got people’s personal information, you better have a plan to protect it.

A company—and all individuals whose personal information is affected—can be severely harmed by a breach of security and the resulting investigation or possible lawsuit. A security breach creates the risk of legal liability and may threaten the viability of a business by causing the loss of goodwill and business trust.

To develop a security plan, a company must assess existing data flows, evaluate risks, and understand its compliance requirements. Then it must develop policies (high-level) and procedures (for daily use) that take into account which information must be protected from which risks.

Here are seven crucial steps to any information security plan:

1. Identify a responsible party. Designate and empower an employee or employees, often referred to as the “chief security officer” or “chief information security officer,” to be responsible for setting security strategy and policy, conducting ongoing regulatory analysis, and implementing and enforcing the security program.
2. Assess the assets to be protected. These assets may include, for example, information about employees (such as payroll, pension, or benefit information) or consumers (such as Social Security number, credit card account, or other data), or health information or financial information.
3. Assess the risk to these assets. Identify the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of the information. What is the risk of unauthorized or accidental disclosure, misuse, loss, alteration, destruction, or other compromise of the information?
4. Record the plan. Design and implement reasonable safeguards to manage and control the identified risks; select appropriate security measures that will be taken throughout the organization and the policies and procedures that will be used to ensure that the measures are implemented; clearly write the plan so that all employees with responsibility for aspects of the system can understand and implement it; provide for emergencies to ensure the company’s ability to continue operations.
5. Implement and Train. Once you have an information security plan, communicate to employees the applicable security policies, procedures, and guidelines and implement adequate training throughout the company. Implement a security awareness program, which should include distributing periodic reminders and providing refresher training courses to ensure continued compliance. Make sure employees know the serious consequences of most security incidents and encourage them to report any suspected incident promptly.
6. Audit, Test, and Monitor. Test and monitor the effectiveness of the safeguards, key controls, systems, and procedures to ensure that the security measures are properly in place and remain effective.
7. Conduct Periodic Revisions and Adjustments. Periodically adjust and modify the information security program to take into account the results of the testing and monitoring, any material changes to the company’s operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the company’s information security program.

To survive and be competitive, every company must invest the resources necessary to show that it respects and protects the security of the personal information it has about its personnel, customers, and third parties.

For excellent coverage of information security and security breaches, including all aspects of a security plan, turn to CEB’s Privacy Compliance and Litigation in California, chap 3. 

© The Regents of the University of California, 2012. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.