Security Plan

Last updated: August 27, 2024
Audience: IT Staff / Technical

Purpose

  • Describe critical assets and how they support the organization’s mission
  • Document existing security controls
  • Delegate lines of responsibility and accountability
  • Describe objectives and goals related to security

Goals

  • Improve informed decision-making and prioritization of IT efforts
  • Help everyone understand the information environment
  • Help everyone understand responsibilities and expectations
  • Prepare for incident response
  • Understand organizational and University-wide risks
  • Comply with Administrative Policy Statement 2.6

Getting Started

Important considerations when developing a Security Plan:

  • One size does not fit all – Some departments within a large organization or some individual assets may require their own Security Plan. Specific regulatory requirements, different IT environments, certain data types, critical business functions, and organizational reporting lines are some of the factors to consider when determining the approach that is best for your Security Plan.
  • Reference centralized services – Rather than explain how centralized services (e.g. UW IT hosted server) work, it is sufficient to describe what particular requirements are addressed by centralized services, lines of responsibility, and how accountability is tracked.
  • Reference Outsourcing – Like centralized services, outsourcing solutions can be incorporated into the security plan by reference and with a description of how decisions are made about the third-party services.
  • Map asset dependencies – An asset may be critical because of its own value or because other assets depend on it.
  • Use existing sources – Leverage documentation, information resources, and systems that already exist.

Resources

The Office of Information Security has developed the following resources in order to ease the development, maintenance, and use of a Security Plan by drawing upon both the business and technical expertise that already exists within an organization.

Please feel free to engage the OIS Advising team, using the Contact OIS link below, to provide further clarity and context on filling out any of these documents.