What’s in a Plan? Tips from a Security Expert on How to Develop an Effective Security Plan

Recently I had the opportunity to sit down with Matt Pascucci, one of our most popular and prolific guest bloggers. When he’s not blogging for AlgoSec, Matt works as an information security engineer for a large retail company where he’s involved with vulnerability and threat management, security awareness and daily security operations.

During our conversation Matt provided some invaluable advice for CISO and Security and Compliance Officers on security planning, including the value of a security plan, what should be included in a security plan, when and how to maintain and update it. Here’s what he had to say:

Do most organizations have a formal security plan?  Does it usually follow any particular format and contain any routine content?  Or does it vary greatly, with the organization – if it has one at all?

In this era of data breaches, most organizations do have a formal security plan put in place. From my experience, most organizations use the checklist format to keep everything organized. Security engineers and most operations teams go through forms and check off each day-to-day item and when the list is completed, it gets sent along to management. While many security experts agree that the checklist mentality is not the correct way to have a successful information security program, most organizations still have the compliance mindset and use this format.

The format of a security plan can change depending on the departments within the organization. Larger organizations that have expansive security, engineering and network operations teams may have different security plans and checklists for each department. The day-to-day issues on the network operations side are usually very standardized, but for the information security department, plans can vary daily due to ongoing security incidents. Once the security plan is in place, the question becomes, do people actually follow the plan? It takes a massive amount of man hours to correctly follow a security plan, especially when the plans are not fully integrated into every aspect of the business.

What topics should a security plan include?

Security plans are developed in a three-step process – vision, implementation and operation. Each security plan is different based on industry and business environment, but most security plans need to focus on 4 key areas: incident response, regulatory compliance, security policy management and disaster recovery.

We’ve seen incident response work its way to the forefront of information security programs in the past decade due to the ever-growing number of breaches and hackers targeting every type of business. Even with the best plan in place and the best defenses, data breaches are inevitable, so having a successful incident response plan is crucial to a company’s recovery after a data breach and can save not only money, but a company’s overall reputation.

It’s no surprise that compliance is a key to any security plan. We all have higher-ups that we report to and regulations to follow, so compliance is a foundation for every plan. As I mentioned, the check-box approach to security may not always be the most effective, but it is necessary.

Automated security/firewall policy management should also be a major foundation for any and every security plan. If implemented and used correctly, it can really help enable every part of the business and cut down on wasteful time and spending. Using products like AlgoSec, which takes an application approach to security policy management and looks at security from the business perspective, helps make the everyday security and network operations job much easier.

Lastly, disaster recovery is a key part of the security plan that many organizations consistently overlook. Information security departments and the C-Level need to think about the major disasters that could take a network down and have a ripple effect throughout an entire organization. Physical disasters like a flood hitting a datacenter may be few and far between but you should still plan for them. And what happens when a DDoS attack takes you offline for 3 hours?

When should an organization update its security plan? As required? Time-based – i.e. annually or quarterly?  How should organizations make this decision?

Organizations should make decisions on when they should update their security plan based on the size of the organization, budget, and the importance of the issue at hand. For example, if a company doesn’t have the available resources to analyze vulnerability data every month, then vulnerability data analysis can be scheduled every six months. For something like compliance, it needs to be a high priority that happens once a month for auditing purposes. Organizations ultimately need to determine where their risk lies, and assign an owner to each risk area. Solutions that automate these tasks – such as security policy management – can significantly help reduce the time, effort and costs of these activities and ensure an effective program that minimizes the overall risks affecting an organization.