IT Security Plan

The goal of your IT Security Plan should be to determine an appropriate level of security and arrange to organize suitable security for your departmental IT assets. No department or PC (or MAC or workstation) is immune to compromise. University information and network assets are of significant value and protecting them is our responsibility. Every department is expected to develop a security plan. The Risk Assessment helped determine your department's IT security risk level; the Departmental Security Checklist helped evaluate your department's IT security strengths and weaknesses. The IT plan is the remainder of the statements gleaned from your evaluation of the earlier steps.

When you've finished making your list of statements from the Checklist which were answered in the negative, review it and determine approprate responses. Please take into consideration your departmental inventory, the information assets you are protecting and the level of protection you should have.  Consider any problems you would have whether they are legal problems, support issues, availability or any other evils that might beset your department.

Remember to consider the recommended security additions in the Risk Assessment based on the categories of confidentiality, integrity and availability.  Add these to issues/statements from the Security Checklist which you have decided to improve or implement.  Include your inventory (which will come in handy for future reference and possible insurance claims) in the beginning of the report. 

Make an effort to understand your systems and your department. The systems administrator may develop the plan to have approved by the Dean/Director/Administrator.  The departmental Systems Administrator and Dean/Director/Administrator should discuss issues, possibilities, time lines and develop a realistic plan.  Responsibilities for every part of the plan should be determined and assigned.  Target dates should also be set.

The Departmental Security Plan should be reviewed annually.  The Plan should be monitored with progress reports provided to the Dean/Director/Administrator quarterly.

Sample Security Plan

In developing a Departmental Security Plan the Asset Inventory and Risk Assessment should be considered.  The following Sample Security Plan is for a department that has evaluated itself as needing a highly secure environment. This department's system rated high in all areas (confidentiality, integrity and availability) of the Risk Assessment.  The Asset Inventory is also listed below.

(Statements on this template have been gleaned from the Departmental Security Checklist. All items answered 'no', should be addressed in the Security Plan.) 

Asset Inventory

According to the Risk Assessment the Sample department scored in the high probability and high impact areas for all categories (confidentiality, integrity and availability).

The following is an inventory of the physical and information assets of the Sample department:

Physical Assets 
17 workstations 
file server 
web server 
network printer 
tape back-up 
2 laptops

Information Assets 
Social security numbers 

Sample Security Plan

All of the following bulleted items were marked 'no' on the Security Checklist.  The Sample department is taking corrective action as indicated by the statements with target dates. The items should be discussed between departmental administration (Dean, Director, Administrator) and the Systems Administrator (UCS, Computing Manager) to determine if there is a need to consider these as possible deficiencies and implement additional security processes, policies or improvements based on the Asset Inventory and Risk Analysis.

Please also consider if your current infrastructure is sufficient condition to support additional measures.<

The Sample department will implement the following improvements for security purposes with the following target dates: 
(Items (below) from the Checklist marked negative)

  • Regular testing of UPSs-UPSs will be tested monthly on the 1st.
  • Maintain diagnostic software onsite-Diagnostic software will be researched and purchased at the discretion of the Systems Administrator.  Said software will be locked in the storeroom.
  • Target date to move database to new software-Database will be moved from Paradox to Access within two months (7/09).
  • Provisions to continue operations in the event central services software is not available-A team will be created to develop a plan for business continuity in the event of central services downtime.
  • Network documentation for computers and network devices-Part-time students will be hired for the purpose of creating documentation.
  • Physical and software access to network devices-Access will be discussed at staff meetings until resolved beginning 5/09.
  • WAN failure department functionality-Staff will have sufficient software to support short term network problems.
  • Staff duties and standards-Security duties and responsibilities will be designated in job descriptions and standards evaluated at regular intervals (quarterly).
  • Documentation to explain how to perform all IT security related duties-Those responsible will document IT related duties for review by the Systems Administrator and Director.
  • Additional training (target dates and suggested training)-Security training will be provided to the Systems Administrator.
  • Delegation of authority-Authority for security related issues will be delegated by policy, or by decision of the Director.
  • Funding-A sincere effort will be made to provide for additional security measures and personnel.  Initially, 1% of the budget will be devoted to security related purchases.
  • Non disclosure agreements-All IT staff will be asked to endorse a nondisclosure agreement for confidentiality purposes.
  • Enforce and check strong passwords (authorize)-Strong passwords will be requested, however, neither the Director nor the Systems Administrator find it an enforceable issue.
  • Account removal process-A policy and procedure will be created to address account removal within the next six months (11/09).
  • Unauthorized users-Staff will be provided with a workshop on Security Awareness and Social Engineering to make them aware of security practices.
  • Remote access authorization not known-The Systems Administrator will do a survey of alternative methods for remote access including VPN, wireless, network connections and PDAs.
  • Document physical security procedures-Information on security procedures will be sought (5/09).
  • Procedure for disposing of confidential and sensitive material on hard drives, tapes, floppy disks, CDs, etc.-System Administrator will provide process and documentation by 12/09 with the help of part-time students.
  • Network diagram that includes IP addresses, room numbers and responsible parties-Part-time students will research and diagram (target date 8/09)
  • Log retention standard-Systems Administrator will research (6/09)
  • Need protection for clear-test passwords that are embedded in SQL scripts-Systems Administrator will address (9/09)
  • The FTP server operator needs more information about site problems and techniques-FTP server operator will research training options (9/09)
  • Data integrity software-Systems Administrator will research data integrity software (10/09)
  • Inventory of devices attached to the network-Part-time students will inventory (7/09)
  • Room jacks mapped to a switch port-Systems Administrator will check.
  • Written contingency plan-Director will create a team to research and document contingency plan (3/10)
  • Plan to continue departmental business in the event that Central Systems are down-Director will create a team to research and document contingency plan (3/10)
  • Should the department store back-up media off site-Director will create a team to research and document contingency plan and back-up storage (3/10)
  • Regular dates to verify backup capabilities-Back-up capabilities will be tested in June and January
  • Configuration/asset control plan-The Director and Systems Administrator will discuss IT plans and needs twice annually after backup capabilities have been tested and reported on in June and January.
  • Only trained authorized individuals will install computer equipment and software-Experience and training guidelines will be established by the Systems Administrator and approved by the Director.
  • Plan and funding for upgrades-Director will set aside funding for regular upgrades and security improvements
  • No way to determine they have been or are being attacked (IDS) (firewall)-Systems Administrator will implement

The Sample department will write and implement the following additional policies, standards and processes 
Account removal 
Elimination of chat clients 
Trusted workstation security

The following recommendations for workstations will be followed: 
CD-ROM Autorun feature disabled on all workstations 
Password caching disabled on all workstations 
Chat clients (ICQ, Yahoo Messenger, etc.) are not allowed at departmental workstations 
ActiveX, Javascript, and Java disabled in web browsers and email programs for all workstations 
Security measures are being discussed for all workstations 
Account policies set to require a password that is at least 7 positions, periodically expired, and unique from the prior 10 passwords 
The internal firewall been activated on workstations 
Remote desktop and remote assistance been turned off on Windows computers 
Web servers are set to only accept traffic on port 80 
The web server is set to reject attempts to remotely administer it 
The web server is set to authenticate certain user traffic 
Sample files, scripts, help and development files been removed from the web server 
All FTP servers are set to authenticate users with traffic encrypted/secured 
All FTP directories set to either Read or Write 
File sharing is not permitted on any workstation in the department 
All workstations are required to implement a password-protected screensaver with a 5 minute max time 
Users were instructed on how to lock workstations when they step away

With recommendations from the Information Protection and Security Division, the Sample department will be implementing perimeter security which controls access to critical network applications, data and services so that only legitimate users and information can pass through the network.