Don't Forget to Share this Post

The Steps to Create Information Security Plan (Part 2)

By Olivia Munro | Thursday, April 19th, 2018

In our previous post, we outlined what an information security plan is, why your firm needs one, and the first three steps of building a plan. Now, let's dive into steps four through nine on building an Information Security Plan to protect your firm.

Steps to Create an Information Security Plan:

Step 4: Classify Data

Identify what data is important and what needs to be protected. Three types of data include:

  • Personally Identifiable Information (PII)

  • Protected Health Information (PHI)

  • Non-Public Information (NPI)

Note, the first two types of data breaches are legally required to be reported to the SEC.

Step 5: Evaluate Available Security

Luckily, there are security frameworks available to help firms create their information security plan. The National Institute of Standards and Technology (NIST) provides a security framework that is a great starting point. This framework includes the following steps:

  • Identify: This includes cyber risk assessments, IT audits, and network inventory

  • Protect: Access controls, next-gen firewalls, endpoint protection, encryption, patch management, mobility management, info security training, and phishing tests

  • Detect: Intrusion detection and prevention, penetration testing, vulnerability assessments and continuous security monitoring

  • Respond: Incident response planning and remediation services

  • Recover: Backup and recovery, disaster recovery, security policy audit and maintenance

Step 6: Perform a Cyber Risk Assessment

Your risk assessment doesn't have to be overly complex. As part of the process, you'll want to identify a document with the following components:

  • Asset Vulnerabilities

  • Internal vs. External Threats

  • Potential Business Impacts & Likelihoods

  • Potential Control

  • Appropriate Risk Responses and Remediations

Step 7: Perform a Third-Party Risk Assessment

As more firms outsource business functions, it is crucial to set expectations with your partners, vendors, and providers so that everyone is on the same page. We recommend having a process and checklist in place to make sure your firm is establishing acceptable third-party management guidelines. For a list of questions to ask and pro-tips, download the full eBook "9 Steps to Create an Information Security Plan".

Step 8: Create an Incident Response Plan

It's not if, but when, a cybersecurity incident will happen. It is imperative to have an attainable plan in place for when your firm does experience a cybersecurity incident, and engaging with all departments, ranging from IT, to Operations, to HR, as well as external partners is recommended.
 

Step 9: Training and Testing Employees

Make your employees an asset instead of a threat to your information security! While employees are considered the first line of defense, and sometimes the weakest link in the organization, training and testing employees can mitigate these threats and ensure that employees are the former rather than the latter. Conducting annual simulation services can ensure that employees are effectively trained.

Connect with Eze Castle Integration today to learn more!

Don't Forget to Share this Post

Related Posts

To Minimize Cloud Risk, Pivot Security from an Afterthought to a Baked-in Advance Priority
Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation

How Can Eze Castle Integration help you?Contact us today!

Contact Us