Every organization is different, and you will need to customize the structure of this security plan to meet your needs.
You will neeed to:
This is the comprehensive table of contents for a typical corporate plan produced by Binomial PlanBuilder for Security. Some organizations will not need all these sections.
Many people will avoid reading a plan until the last minute. The executive summary module ensures allows people to obtain a quick overview of the plan without reading the details.
1 EXECUTIVE SUMMARY 1.1 Introduction 1.2 Things to Know 1.3 Objective
When something happens, the first question people will ask is What do I do now?.
This section helps them find the answer quickly.
2 QUICK REFERENCE 2.1 Objective of this Module 2.2 Where to Find It
When people read your plan, they need to understand what you are trying to do and why. An introductory section helps ensure that the reader is familiar with concepts and terminology in the plan.
3 INTRODUCTION TO SECURITY 3.1 Protection 3.2 Detection 3.3 Reaction 3.4 Documentation 3.5 Prevention
This section could alternatively be moved into an appendix. It discusses the nature of the threats which need to be considered and common counter-measures that may be deployed.
4 ASPECTS OF SECURITY 4.1 Physical Security 4.1.1 Introduction 4.1.2 Security threats 220.127.116.11 Design Approach 18.104.22.168.1 Protective Barriers 4.1.3 Planning & Administration 22.214.171.124 Facility Protection 126.96.36.199 Planning Facility Protection 188.8.131.52 Design Factors. 184.108.40.206 Surveys and Inspections. 220.127.116.11 Awareness and Education. 18.104.22.168 Security incident Reporting. 4.1.4 Exterior Protection 22.214.171.124 Perimeter Security Measures. 126.96.36.199 Physical Barriers 188.8.131.52 Fencing 184.108.40.206 Gates. 220.127.116.11 Protective Lighting 18.104.22.168 Doors 22.214.171.124 Windows 126.96.36.199 Manholes, Grates and Storm Drains 188.8.131.52 Roof Openings 184.108.40.206 Mechanical Areas 220.127.116.11 Building HVAC Systems 18.104.22.168 Fire Escapes and Building Walls 22.214.171.124 Facilities in Remote Locations 126.96.36.199 Alarms 188.8.131.52 Security Guards 184.108.40.206 Protecting Utility Areas 220.127.116.11.1 Transformers 18.104.22.168.2 Connections and Lines 22.214.171.124 Protecting Public Areas 4.1.5 Interior Protection 126.96.36.199 Interior Security Controls 188.8.131.52 Area Designations 184.108.40.206.1 Restricted Area 220.127.116.11.2 Controlled Area 18.104.22.168.3 Unrestricted Area 22.214.171.124.4 Strongrooms 126.96.36.199 Identification, Admittance & Interior Movement Control 188.8.131.52.1 Employee Entry & Monitoring 184.108.40.206.1.1 Personal Identification 220.127.116.11.1.2 Artificial Access Identification Systems 18.104.22.168.2 Contractors 22.214.171.124.3 Visitors 126.96.36.199.3.1 Visitor Control/Screening System 188.8.131.52.3.2 Visitor ID Accountability System 184.108.40.206.4 Vehicle Control 220.127.116.11.5 Material Control 18.104.22.168.6 Guard Duties 4.2 Information Security 4.2.1 Server Security 4.2.2 Work Station Security 4.2.3 Network Security 4.2.4 Firewalls 4.2.5 Website / Internet 4.2.6 Communications Security 4.2.7 Data Compromised 4.2.8 Securing Applications 22.214.171.124 Why secure applications? 126.96.36.199 What should be included in a risk assessment? 188.8.131.52 Securing applications 184.108.40.206 Putting the puzzle together 4.2.9 Attacks 220.127.116.11 Social Engineering 18.104.22.168 Virus/Trojan Horses 22.214.171.124 Denial of Service 126.96.36.199 IP Spoofing 188.8.131.52 Worm 184.108.40.206 Replay Attack 220.127.116.11 Theft of Information 4.2.10 Actions to Take Now to Improve IT Security 4.3 Travel Security 4.3.1 Airports & Airplanes 4.3.2 Hotels 4.3.3 Laptops 18.104.22.168 The Loss 22.214.171.124 Use a Cable Lock 126.96.36.199 Don't Advertise with a Laptop Case 188.8.131.52 Be vigilant at Checkpoints 184.108.40.206 Keep Your Laptop Near 220.127.116.11 Don't Clutter Your Laptop Case 18.104.22.168 Laptop Travel Tips 22.214.171.124 Protect Information on Your Laptop 126.96.36.199 Back Up Data 188.8.131.52 Practice Good Password Hygiene 184.108.40.206 Use Two Factor Authentication 220.127.116.11 Choose Your Hot Spots Carefully 4.3.4 Cars/Taxis 4.3.5 Cell phones 18.104.22.168 Risks of Eavesdropping 22.214.171.124 Risks of Recording 126.96.36.199 Traffic Analysis 188.8.131.52 Geolocation 184.108.40.206 Other Cell Phone Security Risks 4.4 Identity Theft 4.5 Human Resources 4.5.1 Termination 4.6 Inside Security
This section discusses the specific security requirements of your organization.
5 SECURITY REQUIREMENTS
This section analyzes the security risks of your organization.
6 SECURITY RISK ASSESSMENT
To effectively manage security, it is desirable to assign responsibilities to various.
Some of the teams here can be merged with business continuity teams (if your organization has a business continuity plan) or, if you have a smaller organization, merged with each other.
Each team should know what its responsibilities are, what it needs to do to prepare for a secruity incident, what its objectives are during a security incident, and what it should do after the security incident has been dealt with.
7 SECURITY TEAMS 7.1 Security Management Team 7.1.1 Responsibilities 7.1.2 Preparation Tasks 7.1.3 During-Security incident Tasks 7.1.4 Response Tasks 7.1.5 Notes 7.2 Plan Development Team 7.2.1 Responsibilities 7.2.2 Preparation Tasks 7.2.3 During-Security incident Tasks 7.2.4 Response Tasks 7.2.5 Notes 7.3 Situation Inspection Team 7.3.1 Responsibilities 7.3.2 Preparation Tasks 7.3.3 During-Security incident Tasks 7.3.4 Response Tasks 7.3.5 Notes 7.4 Exercise Management Team 7.4.1 Responsibilities 7.4.2 Preparation Tasks 7.4.3 During-Security incident Tasks 7.4.4 Response Tasks 7.4.5 Notes 7.5 Physical Security Team 7.5.1 Responsibilities 7.5.2 Preparation Tasks 7.5.3 During-Security incident Tasks 7.5.4 Response Tasks 7.5.5 Notes 7.6 Logical (IT) Security Team 7.6.1 Responsibilities 7.6.2 Preparation Tasks 7.6.3 During-Security incident Tasks 7.6.4 Response Tasks 7.6.5 Notes 7.7 Security Incident Response Team 7.7.1 Responsibilities 7.7.2 Preparation Tasks 7.7.3 During-Security incident Tasks 7.7.4 Response Tasks 7.7.5 Notes
During the planning and analysis process, a list of actions which need to be taken will be identified. This is where they go.
8 ACTIONS TO TAKE NOW 8.1 Steps To Improve Physical Security 8.2 Steps To Improve Logical Security
A plan which only exists on the shelf, or on a hard drive on a server, is not one that will be successfully put into practice when the need arises. This section describes the various methods by which the plan will be tested, exercised, and improved.
9 EXERCISING THE PLAN 9.1 General 9.2 Emergency Drills 9.3 Exercises 9.3.1 Walk-Through Exercise 9.3.2 Functional Exercise 9.3.3 Simulation Exercise 9.3.4 Full-Scale Exercise 9.4 Scope Of The Exercise 9.4.1 Component Exercise 9.4.2 Plan Exercise 9.4.3 Process Exercise 9.4.4 Exercise Description 9.5 Exercise Frequency 9.6 Exercise Responsibility 9.6.1 Exercise Management Team 9.6.2 Application Team(s) 9.7 Data Collection 9.8 Internal Reviews & Critiques 9.8.1 Evaluation 9.8.2 Internal Tracking 9.9 External Reviews & Critiques 9.9.1 Schedule 9.9.2 Location 9.9.3 Participants 9.9.4 Agenda 9.9.5 Action Item Tracking 9.9.6 Acknowledgements 9.10 Test Suggestions
The people who will execute the plan need to be trained if the plan is going to successfully be put into action.
10 TRAINING 10.1 General 10.2 Who Should Be Trained 10.3 Specific Functional Training 10.4 Training Phases 10.4.1 A Framework For Training Response Teams 10.4.2 Pre-Planning Training & Awareness 10.4.3 Planning Methodology Training 10.4.4 Plan Role & Responsibility 10.4.5 Pre-Exercise Training 10.5 Response Procedures Training 10.5.1 Purpose 10.5.2 Building Accoutrements 10.5.3 The Human Element 10.6 Primary Procedures For Emergency Response 10.6.1 Bomb Threat & Search Procedures 10.6.1.1 Terrorist Bombing 10.6.1.1 Bomb Threat 10.6.2 Evacuation Procedures 10.6.3 Severe Weather 10.6.4 Medical Emergencies 10.7 Suggested Scenarios 10.7.1 Technological Accident 10.7.2 Natural security incidents 10.7.3 Business Crises 10.7.4 External Threats/ Other Hazards 10.7.5 External Threats due to Location 10.7.6 Human Factors 10.8 Supporting Document References
To ensure that the plan continues to meet the organziation's needs, it needs to be maintained. This section discusses these requirements.
11 MAINTENANCE 11.1 Purpose 11.2 Sequential Steps 11.2.1 Assessment of the Situation 11.2.2 Security Policy Formulation 11.2.3 Security Plan Development 11.2.4 Plan Implementation 11.2.5 Inspection and Testing 11.2.6 Evaluation 11.3 Maintenance Reasons 11.4 Maintenance Reports 11.5 Maintenance Schedule 11.6 Maintenance Log
A plan audit assures everyone that the actions detailed in the plan are being taken, and that the plan meets its requirements. This section discusses and describes how the plan will ber audited.
12 AUDITING 12.1 Auditing The Plan 12.2 Auditing Corporate Security Plans 12.2.1 The Plan Manager 12.2.2 Determination of Criticality 12.2.3 Resourcing 12.3 Copies of the Plan 12.4 Staff Training & Awareness 12.5 Off-Site Storage Of Documentation 12.6 Interdependencies 12.7 Corporate Security & Recovery 12.8 Testing & Exercises 12.9 Maintenance Of The Plan 12.10 Does The Plan Make Sense
There is a lot of information that is useful for the plan reader and for those who will execute the plan, but does not form part of the plan itself. These are some of the appendices that could be included.
1 SECURITY TERMS 1.1 GLOSSARY OF INFORMATION SECURITY TERMS 1.2 GLOSSARY OF NETWORK SECURITY TERMS 1.3 GLOSSARY OF PHYSICAL SECURITY TERMS 2 PASSWORDS 3 POLICIES 3.1 SERVER SECURITY POLICY 4 REFERENCES 5 FORMS 6 SPECIAL CIRCUMSTANCES 7 SECURITY MISTAKES 8 SECURITY CHECKLISTS 8.1 GENERAL SECURITY ISSUES 8.2 UNIFORMED SECURITY OPERATIONS 8.3 PERIMETER BARRIERS AND CONTROLS 8.4 GATE SECURITY AND CONSTRUCTION 8.5 VEHICLE CONTROL AND PERIMETER ENTRY POINT ACCESS 9 STRONGROOMS 10 INTRUSION DETECTION SYSTEMS 11 GUARD SERVICES 11.1 Personnel Requirements 11.1.1 Manpower 11.1.2 Armed Guards 11.1.3 Supervision 11.2 GUARD SERVICES STATEMENT OF WORK 11.2.1 Scope of Work 11.2.2 Contract Effort Required 11.2.3 Services Required 11.2.4 Supervision 11.2.5 Authority and Jurisdiction 11.2.6 Use of Force Policy 11.2.7 Regulations and Procedures 11.2.8 Equipment, Uniforms and Materials 11.2.9 Qualification of Personnel 11.2.10 Suitability Requirements 11.2.11 Special Requirements for Supervisors 11.2.12 Training 11.2.13 Reporting Work 11.2.14 Removal from Duty
This is potentially a lot of information for you to create and maintain. Fortunately there's a simple way to get started. It's far easier and more cost-effective to start with a product, such as our comprehensive Binomial PlanBuilder for Security, which will both enable you to get your plan up and running quickly and make it easier for you to maintain your plan.