Office of the Chief Information Security Officer

Security Plan

View page as pdf

The executive heads of major University organizations are responsible for managing the risks associated with their assets. They must document and implement an Information Security Plan (Security Plan) that demonstrates due care in securing their assets by meeting the intention of the controls in Administrative Policy Statement 2.6.

Purpose

  • Describe critical assets and how they support the organization’s mission
  • Document existing security controls
  • Delegate lines of responsibility and accountability
  • Describe objectives and goals related to security and privacy

Goals

  • Improve informed decision-making and prioritization of IT efforts
  • Help everyone understand the information environment
  • Help everyone understand responsibilities and expectations
  • Prepare for incident response
  • Understand organizational and University-wide risks
  • Comply with Administrative Policy Statement 2.6

Getting Started

Important considerations when developing a Security Plan:

  • One size does not fit all – Some departments within a large organization or some individual assets may require their own Security Plan. Specific regulatory requirements, different IT environments, certain data types, critical business functions, and organizational reporting lines are some of the factors to consider when determining the approach that is best for your Security Plan.
  •  Reference centralized services – Rather than explain how centralized services (e.g. UW IT hosted server) work, it is sufficient to describe what particular requirements are addressed by centralized services, lines of responsibility, and how accountability is tracked.
  • Reference Outsourcing – Like centralized services, outsourcing solutions can be incorporated into the security plan by reference and with a description of how decisions are made about the third-party services.
  • Map asset dependencies – An asset may be critical because of its own value or because other assets depend on it.
  • Use existing sources – Leverage documentation, information resources, and systems that already exist.

Resources

The Office of the CISO has developed a “How-to” guide in order to ease the development, maintenance, and use of a Security Plan by drawing upon both the business and technical expertise that already exists within an organization in order to make security planning activities more natural.

Security Plan How-to Guide (docx)
Security Plan Workflow (pdf)
Asset Discovery – Critical Info Systems Worksheet (xlsm)
Information Security Guideline (pdf)