A system security plan, for many organisations, is not just something that’s nice to have. Putting a plan in place to manage security for computer systems is so important to protect against cyber attack and data breaches, and it’s also a requirement for any agency that wants to ensure their cyber security is up to national standards.
It is classified as an essential control document by the New Zealand Information Security Manual (NZISM), which is the nation’s official manual on information assurance and information systems security. Additionally, such a plan is a requirement of the Protective Security Requirements that outline the Government’s expectations for managing personnel, physical and information security.
Clearly, a system security plan is crucial to any organisation or agency conducting business online. Here’s how you can develop one that will serve its intended purpose.
Understand what you should be protecting
The first step in putting together a good system security plan for your organisation is to determine which systems and information need to be included by identifying your critical systems and data by business impact analysis. For government agencies, four key steps to take are:
- Classify your systems and data using the guidelines for protection of official information (https://www.gcsb.govt.nz/assets/GCSB-Documents/Guidelines-for-Protection-of-Official-Information-Wallchart.pdf)
- Identify threats and vulnerabilities
- Conduct a risk assessment and identify control requirements according to the NZISM
- Identify lacking controls and potential mitigation strategies
This will provide the rudimentary basis for identifying the controls required to protect your systems and data.
Some information, and some systems, will be more valuable to your organisation than others. As part of your security planning, you should identify which are the most sensitive—you can apply “Business Impact Levels” or a “Business Impact Assessment” to assess the impacts of a security breach or systems failure, in any particular section of your business.
Private client or customer information, of course, is a very high priority. Recent changes to the Privacy Act mean that all data breaches must be reported to both affected individuals and the Privacy Commissioner, and fines can apply if this does not happen.
Decide on controls
Using the risk assessment and NZISM, identify controls that apply to the systems under review. Some controls are mandatory baseline controls for government agencies, which are tied to the data classification as prescribed by NZISM.
An important step in formulating a system security plan is identifying which controls are applicable to specific systems at which layer, (either network, platform, operating systems, application, data repository, or managerial/process). This may be a combination based on their classification, functionality, and the technology involved.
Each organisation or agency must decide which controls apply to their specific data and systems, informed by the steps above.
Write and implement the plan
Controls are ideally implemented in a layered manner complementing each other, designed to reducing the likelihood, and to slow the progress of an attempted systems compromise.
Each layer in a computer system presents different attack vectors and vulnerabilities which might be exploited. Often the responsibility for different system component security controls are disseminated within an organisation under different management responsibilities. This could mean that network and firewall controls are managed separately to platform, operating systems, applications, databases, endpoints and other components.
A good plan must take these into account and identify the matrix of control responsibilities within an organisation. This will also include the needs for control assurance, operations, resource capabilities and budget for development and operational effectiveness.
Some controls will be more effective at mitigating risk than others, a good risk assessment will provide this detail with regards to key, secondary and compensating controls.
Determine budgetary constraints, perform the analysis required (using the risk assessment) and draft a plan which provides the ‘best bang for bucks’ in remediating risks.
Socialise the draft with key business and security stakeholders to gain consensus to move ahead with implementation.
Ideally a robust system security plan will keep your organisation safe from cyber threats. Plan for regular review, and socialise for budgetary approval and the effective ongoing operation of the plan.
Consulting security experts is the best way to ensure that a system security plan covers all the necessary bases, and is in line with the New Zealand Information Security Manual and Protective Security Requirements. CANDA, experts in cyber security and ICT security certification, can help you through the process and ensure all relevant standards are met. Get in touch to find out how we can put together a plan that ticks all the boxes for your organisation.