bCentral Home
Your Online Business Center

What's a Security Plan?

Use this sample IT security plan to help create your own

Curious about what an IT security plan looks like? The following plan was put together by a fictitious company named Adventure Works. Because of the increasing focus on security in the computing world, the company decided to review security practises and develop a plan to improve those practises. Adventure Works’ requirements may differ from your company’s needs, but reading through its plan can give you an idea of the steps involved in creating a good security plan.

ADVENTURE WORKS SECURITY PLAN
Date: October 21, 2005

Introduction

This plan was developed by Matthew, Managing Director of Adventure Works, in cooperation with other key members of the Adventure Works staff.

About Adventure Works
We are a 20-person firm specialising in high-adventure travel packages. Our staff includes designers, travel agents, sales and marketing personnel, and the administrative team that supports them. The staff also includes the senior management of the business: the co-founders, Matthew and Denise, and the financial controller, Steve.

Objectives
This security plan is our first. We will take a broad view of the security risks facing the firm and take prompt action to reduce our exposure. Everyone remembers the virus attack we had earlier this year, and we hope to avoid another disaster like that! However, I hope that by taking a wider view, we may be able to plan for threats we don’t know about yet.

I realise that we are limited in time, people and (of course) cash. Our main priority is to continue to grow a successful business. The project team has weighed these constraints carefully in deciding what to do and has tried to strike a balance between practicality, cost, comfort, and security measures. We are all convinced, however, that doing nothing is not an option.

I am taking responsibility for leading this review and ensuring that all the action items are carried out. I am concerned about the risks we face, although having reviewed the plan, I am sure we can address them properly. This project has my full support and is a high priority for the business.

Circulation
Because this document contains important security information, it is confidential. Please don’t leave it lying around or make photocopies. We will not be sending this document via e-mail or storing it on the server—paper copies only, please. The following people are authorised to view this document:

Matthew (Managing Director)

Denise (Operations Director)

Steve (Financial Controller)

Kim (Staff Manager)

Sutton and Sutton (our lawyers)

Jeremy (our outside security consultant)

Project Team
The project team includes:

Denise, project leader

Steve

Kim

Jeremy, advising our staff and carrying out some of the implementation

In addition, we consulted with members of staff from sales, marketing and design to get their feedback about what they wanted and how the plan might affect them.

Assessment Results

Our assessment has produced the following results:

Skills and Knowledge
Our technology consultant, Jeremy, is familiar with our systems and with computer security. He will be our expert guide. However, we need to internalise as much of this knowledge as possible by doing as much of the work as we can. Doing so will also help us save money.

Each member of the project team has read the available security planning guides from Microsoft and the Internet Engineering Task Force (IETF) in preparation. The company as a whole is technically literate, but (with one or two exceptions) they see computers as tools to get the job done and don’t know much about how they work.

Our Network and Systems
The following is an inventory of our technology equipment:

Desktops: Twenty-two (one per member of staff plus two old machines acting as print servers)

Laptop computers: Six (one each for the directors, one for Steve, and three for the sales team)

Printers: Two (one high-end plotter and one printer-fax unit for general use)

Servers: One (a computer that runs Windows Small Business Server 2003 and manages the Internet connection, e-mail, and our customer database)

Internet connection: 1.5 Mbps cable modem connection. The server and several of the computers are linked by 100 Mbps Cat5 Ethernet cables. The remainder are linked by an 802.11g wireless network with an access port.

All computers run Windows XP Professional except for the two print servers and two administrative computers, which run Windows 98.

Security
We compared each computer against the checklist in the Security Guide for Small Business. We also ran the Microsoft Baseline Security Analyzer. These actions produced the following results:

Virus protection: Not present on six computers; not up to date on four computers; generally, most users were aware of viruses but were a bit unsure about what they could do to prevent them.

Spam-filtering software: Many users have begun to complain about spam, but no protectibon is in place.

Firewall: We thought the ISP’s router included a firewall, but it doesn’t; so, we don’t have one.

Updates: All the Windows XP Professional systems are up to date because they were automatically checking and downloading updates. However, several installations of Microsoft Office need updating, and the Windows 98 computers are not updated at all.

Passwords: A random sampling found that most people aren’t using passwords at all or had them written on notes posted near their computers. In particular, none of the laptop computers are password protected.

Physical security: The window locks, doors and alarms are pretty good. However, none of the computers have a serial number etched on its case, and we didn’t have a log of the serial numbers. We also noticed that everyone, including Tracy and the two directors, are using the same printer, which means that there is a risk of confidential documents being left there by accident.

Laptop computers: All the laptop computers had shiny bags with big manufacturer logos. No security locks.

Wireless networking: We just set up the network and it worked, so nobody touched any of the settings. However, it turns outs that our wireless network is open to outsiders who have the capability to find wireless networks and freely use the Internet connection for their own purposes.

Web browsing: Everyone thinks that having fast Internet access is a great benefit, but they are using it all the time and without much thought to the risks. Through a content filtering audit, we found that 20 percent of our Web browsing was unrelated to work. We don’t have a policy on acceptable use, and no one is taking any security measures.

Backups: We back up data on the server to a Digital Audio Tape (DAT) drive on a weekly basis, but we haven’t tested restoring the data; unless people remember to copy local files to the server, those files aren’t backed up, which is unsatisfactory. The server contains our primary customer database, so well-tested backups are essential, as is keeping a copy of backups offsite.

Priorities
Based on our assessment, the team considers these to be our security priorities:

1.

Intruder deterrence:

Installing firewalls

Installing and updating virus protection

Strengthening the wireless network

Replacing the four computers running Windows 98 with computers running Windows XP Professional with SP2

Ensuring that all computers are configured to be updated automatically

Educating users and explaining policies

2.

Theft prevention:

Helping protect laptop computers

Inventorying and marking assets

Moving the server into a secure, lockable room

Physically securing desktop and laptop computers

3.

Disaster prevention:

Creating better backup plan with offsite storage

Ensuring backup of users’ local data

Storing copies of critical paper documents offsite

Regularly testing the backups by performing a restore

4.

Internal security and confidentiality:

Creating a strong password policy

Securing printers for accounts, human resources, and directors

Reviewing security for filing cabinets and confidential documents

Security Plan

After performing our assessment, we have devised the following security plan:

Action Items

1.

Select, purchase and install a hardware firewall (or ask our ISP or technology consultant to provide one).

2.

Enable Windows Firewall on the server and on all desktop computers.

3.

Make sure that antivirus software is installed on all computers and that it is set to automatically update virus definitions.

4.

Configure computers running Office Outlook 2003 to use junk e-mail filtering. Select, purchase and install spam-filtering software on the mail server, if necessary.

5.

On the wireless network, disable service set identifier (SSID) broadcasting, choose and configure a sensible SSID, enable WPA encryption, enable MAC filtering, and configure the access point to allow traffic only from the desktop and laptop computers in the office.

6.

Replace the four computers running Windows 98 with computers running Windows XP Professional with SP2.

7.

Review all machines to make sure that they are fully updated, and set them to automatically refresh those updates.

8.

Buy new, nondescript laptop computer bags and locks.

9.

Security mark all desktop computers, laptop computers and their components.

10.

Log all serial numbers.

11.

Buy and install desk security locks for desktop computers.

12.

Find a suitable, lockable room for the server and move it there.

13.

Review backup and restore procedures. Ensure that user data is either stored on the server or copied across regularly prior to backups. Implement daily backups. Ensure that a full backup goes offsite once a week. Ensure that the backup is password protected and encrypted. Review paper documents and make photocopies for secure offsite storage of critical documents.

14.

Configure Windows Small Business Server 2003 and individual machines to enforce reasonably strong passwords. Discuss with users what would be an acceptable balance of convenience and security. (We don’t want them writing down their new passwords.)

15.

Configure workstations to log users out and require a password to log on again if the workstation is idle for more than five minutes.

16.

Buy cheap printers for accounts, human resources and the two directors so that they can have private documents printed securely.

Response Planning
In the event of a security breach, we will contact Jeremy. His company has a one-hour response policy during office hours and a four-hour response policy at all other times to deal with serious incidents, such as virus infections. In addition, Steve will monitor the server and firewall regularly to make sure that no breaches have occurred.

Ongoing Maintenance and Compliance
Steve will be responsible for security on a day-to-day basis, with Denise taking overall responsibility. Steve will continue his own self-education on the topic, subscribe to security bulletins from Microsoft and our antivirus software supplier, and meet with Jeremy on a regular basis to monitor compliance with the new policies.

On a monthly basis, Steve will make sure that Windows and our antivirus software are updated and that the backup and restore procedures are working properly. He will also be responsible for ensuring that new computer equipment is properly configured and up-to-date.

Kim will be responsible for ensuring that new staff joining the company are fully trained in the company’s security policies and procedures.

There will be a full, formal review of this plan in six months.

Resources and Budget

External Resources

Sutton and Sutton to review our rewritten staff policies

Jeremy for advice during the creation of this plan

Jeremy for help with implementation

Internal Resources

Although we are not paying for our own staff directly, to be clear about the allocation of resources and the time that is available for this work, we have authorised the use of internal staff as detailed above.

Assets
Besides the physical property, our main assets are:

Our product designs and marketing collateral

Records of our contracts with vendors

Our e-mail database and archive of past e-mail messages

Sales orders and the customer database

Line-of-business (LOB) software for online booking and reservations

Paper legal records stored in various filing cabinets

All these assets are considered confidential and should be accessible only on a need-to-know basis. In addition, they need to be protected and backed up as safely as we can manage.

Risks
We believe the risks break down into four main categories:

Intruders. This category includes viruses, worms, hijacking of our computer resources or Internet connection, and random malicious use. These are the risks that anyone using computers connected to the Internet faces. High risk, high priority.

External threats (rivals, disgruntled ex-employees, bad guys after money, and thieves). They are likely to use the same tools as hackers, but in deliberately targeting us they may also try to induce members of staff to supply confidential information or even use stolen material to blackmail or damage us. We need to protect our assets with physical and electronic security. High risk, high priority.

Internal threats. Whether accidental or deliberate, a member of staff may misuse his or her privileges to disclose confidential information. Low risk, low priority.

Accidents and disasters. Fires, floods, accidental deletions, hardware failures, and computer crashes. Low risk, medium priority.

Policy Changes
Kim will update the staff handbook to include new policies on:

Acceptable use of e-mail and the Internet

Use of passwords

Who can take company property away from the office. After she has completed a first draft, it will be reviewed by the directors and the company’s attorneys before being rolled out.

User Education
We expect to give up to two hours of user training in small groups as a result of these changes. Training will cover:

The importance of security

Passwords

Laptop computer security

Virus prevention

Safe Internet browsing

Updating software and operating systems from a server

Introducing the new staff policies

Making sure employees understand the consequences for not complying with policies

Assessing employees’ understanding of the new policies

Periodically reviewing the practise of the new policies

Project Time Line and Responsibilities

The top three priorities—firewall, virus protection, and strengthening the wireless network—will receive urgent attention from our security consultant, Jeremy.

The remaining tasks will be done by our own staff in order of priority. We expect the top three priorities to be completed within a week and the remaining tasks within 30 days.

Steve will be responsible for purchasing and implementing the technical changes. Kim will be responsible for all the policy and training requirements. Denise will oversee the project and be responsible for any other tasks that arise.


Sign into Microsoft Small Business+ for free web-based training, online chat help and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do 'flexible working' practices mean to you?

What do 'flexible working' practices mean to you?








Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft