Building an Information Security Plan


With the increasing frequency of data theft attacks and the recent legislation adopted in states like Massachusetts and Nevada, many companies are facing the task of creating an Information Security Plan. Although the concept itself is not new, until recently, the Information Security Plan was generally only found in larger businesses, or in those with a specific focus on security. Now, however, businesses of all sizes across America are recognizing the Information Security Plan as the cornerstone for their company’s security foundation. In fact, even those companies not required to adopt a plan legally are taking steps to create this important document.

At first glance, the task of writing an information security plan might seem intimidating, especially for smaller and mid-sized businesses that are just beginning to focus on security risks. This article will break down and explain the process of creating your company’s plan by giving you a solid understanding of what an information security plan should contain.

It is important to note that this article is intended to be a general guide to creating your Information Security Plan. Your own business likely has its own set of unique risks for which you’ll need to account. We highly recommend that you consult a security expert or legal counsel if you have any questions specific to your business that aren’t addressed in this article.

What is an Information Security Plan?

An information security plan is a document that outlines what sensitive information a company has and what steps the company takes to protect that data. In addition, the document analyzes the risks related to the loss or theft of a company’s data, and explains the company’s response in the event of a data breach. Although the information security plan covers a broad range of topics, it is intentionally succinct, so that the plan becomes a clear and easily understood reference document for everyone in the company.

Why Build an Information Security Plan?

We’re taught from a young age that planning for the unexpected or for emergencies will help you handle those events should they occur – just think back to elementary school, where, once a month, you practiced the fire drill. Building an information security plan is key to preparing your company for the ever-increasing threat of data theft. By proactively identifying and managing your company’s unique risks, taking steps to minimize those risks, and creating a plan of action in the event that the threat becomes reality, you’re in essence making sure that everyone escapes the fire without injury.

Additionally, having a plan in place represents taking a proactive approach to managing the various risks that your business may face, and enables you to make the right decisions as to how you should spend your resources to put safeguards in place. Ultimately, your information security plan will help ensure that the biggest risks are kept to a minimum, and that you’re adequately prepared to respond to any event that might occur.

Steps To Build an Information Security Plan

Step 1: Designate your Information Security Manager.

The Information Security Manager is the individual at your business who will take responsibility and ownership of the security plan. The responsibilities of the Information Security Manager include authoring the plan, routinely reviewing and updating the plan, facilitating employee training for security related policies and procedures, and ensuring that the plan is enforced by the business as a whole.

Step 2: Identify sensitive information.

This section is the foundation of your security plan – identification of your company’s sensitive data and a comprehensive listing of exactly what needs to be protected. You will want to catalog every piece of sensitive information your organization collects or comes in contact with, and for each, give an explanation of how it is handled and in what form it is stored. Don’t forget your paper or hard copy records! Although a lot of attention is given to the security of electronic data, paper records are equally at risk of being lost or stolen.

Step 3: Explain how sensitive information is being protected.

Describe the safeguards that are currently in place to protect the sensitive data your company possesses. Protection can take many forms – for example, locked file cabinets, locked storage areas for computer equipment, encryption of electronic records, network intrusion safeguards and secure data transmission methods. Remember to include details on data destruction – how are you disposing of records, electronic or paper, when you no longer need them?

Step 4: Explain how data is shared with third parties.

Another critical step in the creation of your information security plan is to identify and evaluate the third parties your company shares its sensitive data with. Once you’ve identified whom the data is shared with, you should explain how your company is assured that your third parties are taking steps to protect the data that they are exposed to. One effective way to do this is to request a written confirmation from your vendors certifying that they have an information security plan of their own.

Step 5: Make sure your staff is compliant.

Easily one of the most difficult to manage data breach risks in an organization comes in the form of the “human factor”. It’s crucial that you develop a strategy to raise your staff’s overall security awareness and inform them of the policies and procedures you are implementing as part of your information security plan. Additionally, you’ll want to detail your plans to regularly audit the access that your staff has to your sensitive data, to ensure that only those employees who work with the data are able to access it.

Step 6: Identify risks to your sensitive data.

The purpose of identifying risks is to give your business insight into where the biggest threats come from and where the biggest monetary losses may occur. This then allows you to intelligently prioritize your time and resources, so that you focus on addressing the biggest threats first.

Step 7: Spell out a breach response plan.

Even with the best plans for preventing a data breach, it’s absolutely crucial to have in place a plan of response in the event that a breach does occur. Your plan should be explicit in detailing the manner in which you will respond. You’ll need to detail who is responsible for executing the response plan, the exact actions to be taken, and the order in which they will occur. Also included should be a Notification Listing, which details the notification requirements of all relevant parties – for example, the breach victims, the local authorities, or state or federal authorities. Notification laws vary by state, so you’ll need to familiarize yourself with your own state’s regulations.

Step 8: Commit to review your plan.

Every business is in a constant state of change. New products are offered, vendors come and go, and your computer infrastructure is constantly evolving. The risks that you face today are not the risks that you faced last year – and nor will they be the risks you face next year. For that reason, it is imperative that you routinely review and update your information security plan to keep it in sync as your business evolves. Your information security plan should detail how often the document will be reviewed by your Information Security Manager – at least once a year, though more frequent reviews are often recommended.


It is no secret that the world is changing, and businesses, big and small alike, are all vulnerable to the threat of data theft. Recognizing the risks in your company and working to minimize the threats they represent has become part of business reality in today’s technology-driven world. Managing risks starts with making sure you’re well informed and committed to being secure. A properly written information security plan is an invaluable tool in your security toolbox – one from which you can build your security defenses and be confident in your company’s ability to deal with the unexpected.

Article by SHUGO.



Shugo’s mission is to make securing and archiving business information simple and easy for small to mid-sized businesses.