Navigation Bar For Technology Leaders

The Planning Process

Security Planning Protocol Phase 3:
Risk Reduction

Flowchart Version of Phase3

It is useful to identify at least two types IT-related assets: those that are so important that they have to be protected, even if the district can only take the first steps in a very long process, and those assets exposed to threats that can be ameliorated easily. The remaining concerns are ranked with consideration of the time required to implement safeguards, the likelihood of success, the cost of prevention compared with the cost of replacement or repair if things go wrong, the immediacy of the threat and, most importantly, the potential organizational impact. This prioritized list forms the basis of a security action plan which the security team presents to district leadership for approval. At this point the security team has produced a formidable document. Grounded in district objectives, with assessment tools validated by internal and external stakeholders, methodically tested, the action plan carries the weight of district consensus as well as documented evidence of concern. The security project has a high chance of success largely because of the constituent groups brought together to work on it.

Implementation follows. An intermediate security verification process of additional stress-testing ensures that the remediations were effective.

After completing the third major deliverable, the Security Action Plan, he biggest danger is failing to renew the security cycle . The security team faces two major tasks:

  • Implementing an annual review cycle for the Security Protocol
  • Creating the Crisis Management Plan.

Flowchart Version of Phase 3

>>Next Phase: Crisis Management

 

3-A. Evaluate Options

Purpose: To identify options available to close security gaps.

Immediate outcome : Exploration of “best practice” and “recommended” options for dealing with identified security problems, and creation of a realistic set of steps towards implementation that takes local resources into account.

This will lay the basis for a security plan that strengthens technical defenses, addresses physical and environmental issues, improves security-related policy, increases user participation, and clarifies IT staff roles.

3-B. Create & Implement Security Plan

Purpose: To close security gap

Immediate outcome : Implementation of technical and operational safeguards along with policy changes, new training, and increased communication with stakeholders.

The formal Security Plan and its resulting Action (“To Do”) Lists should flow smoothly from the preceding work. The security plan must be recursive: it must incorporate recognition of the crucial value of regular continued testing, monitoring and review of the security plan.

3-C. Revise S.O.P. (Standard Operating Procedures)

Purpose: To institutionalize security improvements

Immediate outcome : Improvements in “the way we always do things here.” To implement technical and operational safeguards along with the guidance of policy and the support of training and stakeholder communication.

 

  
A Leadership Initiative of CoSN
Home Project Overview About the Project Executive Summary Conference Handouts & Slides Press Releases For Superintendents & Policy Makers For Technology Leaders Share Your Story Free Newsletter Contact Us Join CoSN