Navigation Bar For Technology Leaders

The Planning Process

Security Planning Protocol Phase 1:
Set Security Goals

Flowchart Version of Phase 1

The security process begins with laying out the organizational mission and then describing how information and technology support organizational objectives. This effort requires participation by district leadership along with IT staff and other stakeholders who together form the security team, bringing a district-wide perspective to the entire security project. The team agrees on a scope of work – identifying which IT tools, data, and services are to be included, thereby allowing for more focused effort.

Before security assessment can begin, decision-making guidelines must be confirmed. By reconciling external “best practice” metrics with internal district requirements, the security team will build its first deliverable, a set of security decision-making standards.

By the end of Phase 1, through regular communication among district leadership, IT staff, and users, a new awareness of technology and the role of the IT organization will emerge.

Flowchart Version of Phase 1

>>Next Phase: Risk Analysis

 

1-A. Purpose of IT Security Review

Purpose: To establish context for the entire security review and planning process.

Immediate outcome : Bring together stakeholders and agree on scope, guiding values, and decision-making process of the review.

The value of all IT roles, assets, and activities must be validated in terms of contribution to the central mission of the district. All judgments concerning IT and security must be rooted ultimately in the extent to which the decision will impact the district mission.

1-B. Scope of Inquiry

Purpose: To define in practical terms the limits of the security project.

Immediate outcome : A list of things -- tools, systems, roles, policies, and services requiring evaluation and risk assessment as well as the time frame and available resources to be devoted to the effort. Start with the District Security Rubric to make sure you review all factors that contribute to security—or its absence.

Without a sharp focus, scope creep may bog down the entire process.

1-C. Values to Guide Decision-Making

Purpose: To establish decision-making criteria that will gain wide consensus among stakeholders

Immediate outcome : Define criteria for setting priorities for (a) critical assets and (b) security requirements.

IT decisions cannot be based solely on internal desires or external demands. Effective decisions must blend industry practice with local considerations to be credible and effective. Security team members, representing diverse points of view, must nevertheless agree on a rubric for decision-making.

 

  
A Leadership Initiative of CoSN
Home Project Overview About the Project Executive Summary Conference Handouts & Slides Press Releases For Superintendents & Policy Makers For Technology Leaders Share Your Story Free Newsletter Contact Us Join CoSN