Security Plan


The executive heads of major University organizations are responsible for managing the risks associated with their assets. They must document and implement an Information Security Plan (Security Plan) that demonstrates due care in securing their assets by meeting the intention of the controls in Administrative Policy Statement 2.6.


Security Plan
  • Describe critical assets and how they support the organization’s mission
  • Document existing security controls
  • Delegate lines of responsibility and accountability
  • Describe objectives and goals related to security
  • Improve informed decision-making and prioritization of IT efforts
  • Help everyone understand the information environment
  • Help everyone understand responsibilities and expectations
  • Prepare for incident response
  • Understand organizational and University-wide risks
  • Comply with Administrative Policy Statement 2.6

Important considerations when developing a Security Plan:

  • One size does not fit all – Some departments within a large organization or some individual assets may require their own Security Plan. Specific regulatory requirements, different IT environments, certain data types, critical business functions, and organizational reporting lines are some of the factors to consider when determining the approach that is best for your Security Plan.
  • Reference centralized services – Rather than explain how centralized services (e.g. UW IT hosted server) work, it is sufficient to describe what particular requirements are addressed by centralized services, lines of responsibility, and how accountability is tracked.
  • Reference Outsourcing – Like centralized services, outsourcing solutions can be incorporated into the security plan by reference and with a description of how decisions are made about the third-party services.
  • Map asset dependencies – An asset may be critical because of its own value or because other assets depend on it.
  • Use existing sources – Leverage documentation, information resources, and systems that already exist.
The Office of Information Security has developed the following resources in order to ease the development, maintenance, and use of a Security Plan by drawing upon both the business and technical expertise that already exists within an organization.
 
Please feel free to engage the OIS Advising team, using the Contact OIS link below, to provide further clarity and context on filling out any of these documents.