Task: Develop Security Plan
Based on the security requirements (contractual, Group and local), an Information Security Plan must be developed to drive the security and compliance requirements through the engagement. The plan would typically include policies, procedures, controls, to measure and agreed Key Performance Indicators.
Relationships
RolesPrimary Performer: Additional Performers:
Outputs
    Process Usage
    Main Description

    On the basis of the understanding of the security requirements, the Information Security And Compliance Lead must define the overall security and compliance solution encompassing the complete scope of security.

    A Information Security Plan must be established that will drive the security and compliance requirements through the engagement.

    The following must typically be a part of the Information Security Plan:

    • Security policies – These should be framed in line with the security standards complied by the Client and other security requirements
    • Security objectives – These should be in line with the policy and should be supported by measurable KPIs
    • Procedures and controls – A set of ongoing operating controls , in line with the policies, must be established
    • Risk assessment process – The framework must establish and maintain information security risk criteria that includes criteria for performing information security risks assessments and the risk acceptance criteria
    • Risk Treatment Plan – The framework must plan for actions to address these risks in such a way that the actions are implemented and integrated into the information management system processes. It must also include an action plan for residual risks and a method to evaluate the effectiveness of actions
    • Incident management plan – The levels of security breaches must be defined and a system must be established to track and report these security incidents
    • Responsibilities – Roles And Responsibilities Matrices must be defined and appropriately assigned
    • Security KPIs measurement and reporting- The framework must have a process and system in place to measure the security KPIs, breaches and actions taken and report them to the respective stakeholders
    • Audit procedures – The security and compliance framework must bring have an audit process defined, its scope, schedules, frequency, stakeholders, plan for analysis of audit logs etc.
    • Communication Protocols – Methods, vehicles, frequency, formats and a governance body must be developed for executing security related communication with stakeholders.

    The Information Security Plan must be approved by an Independent Security Manager.
    More Information
    Guidelines

    Copyright © 2017 Capgemini. All Rights Reserved.