In our previous post, we outlined what an information security plan is, why your firm needs one, and the first three steps of building a plan. Now, let's dive into steps four through nine on building an Information Security Plan to protect your firm.
Steps to Create an Information Security Plan:
Step 4: Classify Data
Identify what data is important and what needs to be protected. Three types of data include:
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Non-Public Information (NPI)
Note, the first two types of data breaches are legally required to be reported to the SEC.
Step 5: Evaluate Available Security
Luckily, there are security frameworks available to help firms create their information security plan. The National Institute of Standards and Technology (NIST) provides a security framework that is a great starting point. This framework includes the following steps:
Identify: This includes cyber risk assessments, IT audits, and network inventory
Protect: Access controls, next-gen firewalls, endpoint protection, encryption, patch management, mobility management, info security training, and phishing tests
Detect: Intrusion detection and prevention, penetration testing, vulnerability assessments and continuous security monitoring
Respond: Incident response planning and remediation services
Recover: Backup and recovery, disaster recovery, security policy audit and maintenance
Step 6: Perform a Cyber Risk Assessment
Your risk assessment doesn't have to be overly complex. As part of the process, you'll want to identify a document with the following components:
Internal vs. External Threats
Potential Business Impacts & Likelihoods
Appropriate Risk Responses and Remediations
Step 7: Perform a Third-Party Risk Assessment
As more firms outsource business functions, it is crucial to set expectations with your partners, vendors, and providers so that everyone is on the same page. We recommend having a process and checklist in place to make sure your firm is establishing acceptable third-party management guidelines. For a list of questions to ask and pro-tips, download the full eBook "9 Steps to Create an Information Security Plan".
Step 8: Create an Incident Response Plan
It's not if, but when, a cybersecurity incident will happen. It is imperative to have an attainable plan in place for when your firm does experience a cybersecurity incident, and engaging with all departments, ranging from IT, to Operations, to HR, as well as external partners is recommended.
Step 9: Training and Testing Employees
Make your employees an asset instead of a threat to your information security! While employees are considered the first line of defense, and sometimes the weakest link in the organization, training and testing employees can mitigate these threats and ensure that employees are the former rather than the latter. Conducting annual simulation services can ensure that employees are effectively trained.