Let’s talk about security management planning in this article.
The ultimate goal of security management planning is to create a security policy that will implement and enforce it. The beauty of security policy is that it provides a clear direction for all levels of employees in the organizational structure.
The Top-Down Approach
The most effective approach in terms of security management planning is top-down. Meaning the senior management needs to initiate it and they’ll be responsible for security management in general. This approach makes perfect sense because if you have a security policy that’s not supported by your senior management, nobody will follow or comply with it. The security team or department enforcing the security management planning or security policies have to be autonomous to be effective and should be led by the designated chief security officer, reporting directly to the senior management. This way, it can be free from any politically motivated activities in the organization.
Who are Involved?
To further elaborate on this top-down approach. The senior or upper management are responsible for security management in general. The senior management should take security management planning as sort of a business operations issue and take their responsibilities very seriously. Their job is really initiating and defining the security policy.
The role of middle management is to turn these security policies into standards, baselines, guidelines, procedures, and so on. This way, it will provide more details and guidance in terms of implementing the security policies.
Then the operational managers or security professionals are responsible for the implementation of security policies.
Lastly, the end-users are supposed to comply with the security policies. These different roles in the organizational structure demonstrate the top-down approach.
Naturally, the senior management are not experts in information system security. In that regard, there needs to be a team of practitioners to help them in developing the security policies. One of their objectives is to educate the senior management on risks, liabilities, and exposures that will remain even after the implementation of the policies.
Due Diligence & Due Care
Due diligence must be done, especially in terms of planning and doing research to make an informed decision.
Due care is mainly a follow-up on due diligence. If you have a security policy, do you actually implement it? Or do you actually enforce it? Whether you’re doing something about your plans, that’s what due care means. At the end of the day, developing, implementing, and enforcing security policies provide evidence of due care and due diligence on the part of senior management.
If something happens and due diligence and due care weren’t done, the senior management could be liable for negligence.
Elements of Security Management Planning
At the center of any security management planning is a guide that:
- defines security roles
- prescribes how to manage security
- decides who will be responsible for the different security roles
- tests the effectiveness of the security measures as described in the security policies
- analyzes risks
- conducts security education and awareness campaigns
Types of Security Management Plans
There are three types of plans you could do. One is the strategic plan.
With this type, the role of security in your organization is defined. Security purpose is one of the things that needs to be specified in the plan. Then you have to assess how well you’re doing what you’re doing. After the assessment, the status quo of your current security operation needs to be determined. This provides a planning horizon to improve what is currently being done or maintain the status quo.
Typically, in the strategic plans, it is important to identify goals and visions that are long term in nature. This type of plan is relatively stable and useful for five years. It talks about the security function in the context of the goals, missions, and objectives of the organization.
The next type of is the tactical plan. In terms of its lifespan, we can call it a midterm type of plan, because it’s probably good for about a year compared to the previous plan. This type of plan provides more details on how to accomplish the goals and objectives specified by prescribing and scheduling the tests, specific tests.
Some examples of tactical plans include:
- Project plans
- Acquisition plans
- Hiring plans
- Budget plans
- Maintenance plans
- Support plans
- System development plans
The last type is the operational plan. These are short-term in nature. It gets updated often to comply with the tactical plan, either by monthly or quarterly. These operational plans talk about the day-to-day operations of your security organization, mostly in terms of how to accomplish various goals in the security policy.
Some of the topics covered in this type of plan are:
- Resource allotments
- Budgetary requirements
- Staffing assignments
- Implementation procedures
The examples of the operational plan include training plans, systems, final plans, and product design plans.
Nature of Desirable Security Management Planning
In summary, the planning has to be ongoing in terms of development, maintenance, and actual usage. It should also be concrete, clearly defined, and feasible. It’s essential to anticipate potential changes and problems when dealing with these planning exercises.
By doing it properly, it serves as a basis for making an informed decision for your organization as a whole.
Ultimately, planning is important in the context of security management in general, and all the critical stakeholders have to be closely involved in the planning process.