9 Steps to Create Information Security Plan (Part 1)
In part one of this two-part blog series, we'll cover what an information security plan is, why your firm needs one, and the first three steps to create a plan.
What is an Information Security Plan?
An information security plan is documentation of a firm's plan and systems put in place to protect personal information and sensitive company data. This plan can mitigate threats against your oganization, as well as help your firm protect the integrity, confidentiality, and availability of your data.
Why Do Firms Need an Information Security Plan?
In today's changing regulatory and investor landscape, information security plans are critical for firms to comply with SEC regulations, due diligence requests from investors and state laws. Additionally, cybersecurity threats are increasingly becoming more common and more sophisticated. Aside from protecting the integrity of your data and keeping it confidential, there are other legal requirements: any firm registered with the SEC must have a plan in place, and there may be other state or industry specific regulations that require your firm to have a formal plan. Example: the GDPR.
Steps to Create an Information Security Plan:
Step 1: Perform a Regulatory Review and Landscape
Your firm must first perform a regulatory review, as all businesses have requirement coming from oversight bodies. There are also self-imposed industry standards and expectations that come from external stakeholders.
Step 2: Specify Governance, Oversight & Responsibility
Create a CIRT (Computer Information Response Team) or CISRT (Computer Information Security Response Team). This group will be responsible for ensuring the firm follows the policy and procedures around the information security plan. Though these specialized teams have responsibility to oversee policy, all members of the firm have a role in information security.
Step 3: Take Inventory of Assets
In simplest of terms: know what you have. Create an inventory of both hardware and software and identify existing safeguards and controls you have in place. This step is crucial, as you can't properly assess your firm's level of risk or adequately protect data and information unless you understand what systems you have and what data they hold.
In our next blog post, we'll continue the series and post steps four through nine on how to create an information security plan. You can also download our eBook to get a comprehensive list of the nine steps, including pro-tips and resources relevant to financial firms.