Information Security Strategic Plan for 200X-200X [Institution / Responsible Office / Date]

Notes: This plan was adapted from the University of Colorado Systems IT Security Program Strategic Plan for !!"# !!$%& The purpose of this sample plan is to esta'lish a formal IT Security Program for your institution% The intended audience for this plan is your e(ecutive leadership) up to and including 'oard mem'ers and e(ternal constituents where appropriate%

Introduction
Notes: Provide 'ac*ground information sparingly and +uic*ly transition to the core of your plan% ,s an e(ample:

In April 2006 the University hired its first chief information security officer (CISO) for the purpose of buildin an I! Security "ro ram ("ro ram) for the University#s three academic campuses at $oulder% Colorado Sprin s% and &enver% as 'ell as System Administration( !he CISO#s initial efforts focused on staffin the CISO office and [ . . . background continues . . .] !his report summari)es the University#s strate ic plan for launchin an I! Security "ro ram across its academic and administrative campuses( !he plan is presented as a set of oals for "ro ram implementation and oversi ht( It is important to note that establishin an I! Security "ro ram is not a one time event% but an on oin venture that follo's a cyclical process( !he implementation phases (see belo') are not cleanly separated processes% but instead represent a flo' of activities that yield an ever maturin "ro ram( !he implementation cycle involves establishin information security re*uirements% educatin people about their responsibilities under those re*uirements% buildin overnance structures to ensure "ro ram compliance% and monitorin and reportin of pro ress(

IT Security Program - Implementation Cycle

Policy Policy and and 1e+uirements 1e+uirements ,ssessment ,ssessment and and 1eporting 1eporting 0versight 0versight and and /nforcement /nforcement 0versight 0versight and and /nforcement /nforcement 0versight 0versight and and /nforcement /nforcement

/ducation /ducation and and ,wareness ,wareness

Notes: The paragraph a'ove ma*es a crucial point a'out information security% Information security is not a one#time pro-ect) 'ut an ongoing process that is the shared responsi'ility of your institution% This is a great opportunity to advance e(ecutive awareness regarding what it means for an organi.ation to manage information security effectively%

University of Colorado System /Jack McCoy, Ed.D., CISM, CIPP

Strategic Goals for Program Implementation and Management

!he follo'in oals are desi ned to establish formal information security mana ement and overnance processes(
Notes: The strategic goals in this plan should 'e integrated into your institutions academic and administrative strategic planning processes% These goals are strategic in nature and should 'e supported 'y an operational plan% 2or guidance on developing an operational plan) please see 3document name and e! link to "ammy#s $lan4% 1esist the urge to unload pages of detailed plans on your e(ecutive leadership% They are unli*ely to have the time or inclination to read them% If they want to see the tactical plans) theyll as* for them% ,lways commit to providing periodic progress reports% 2or e(ecutive#level groups) one#page 'riefings are generally welcome%

Goal 1: Develop, Approve, and Promote a Comprehensive IT Security Policy Suite. In collaboration 'ith all appropriate University representatives the CISO 'ill lead efforts to develop% approve% and launch a suite of information security policies% based on the ISO +,,-code of best practices for information security+( !hese policies 'ill formally establish the University#s I! Security "ro ram and set forth employee responsibility for information protection(
Notes: Smaller institutions may not have the resources necessary for a dedicated CIS0 position% ,s an alternative a smaller institution may distri'ute CIS0 responsi'ilities across multiple positions) such as the IS0 and an academic5administrative officer% Nevertheless) it is important to clearly identify the persons with CIS0 responsi'ilities%

Goal 2: nsure All mployees are A!are o" their In"ormation Security #esponsi$ilities. .e*uire all employees to participate in information security a'areness courses% 'hich serve to inform employees of their responsibilities for protectin the information in their care( !o complement employee a'areness of responsibility% each campus is to develop a trainin pro ram to ensure their employees have the /no'led e needed to carry out those responsibilities 'ithin their campus environment( Goal %: sta$lish &versi'ht Authority "or In"ormation Security at ach Campus. &esi nate a person on each campus 'ith information security oversi ht authority for all I! operations on that campus( Such a person 'ould have the authority to enforce the re*uirements of University and campus policies for information security( !his person 'ould have the authority to authori)e ne' I! services% shut do'n services that are out of compliance 'ith policy% or transfer mana ement of those services to a department or service provider 'ith the re*uisite capabilities(
Notes: This goal is aimed at a multi#campus university and may not 'e applica'le to smaller institutions with a single campus%

Goal (: sta$lish a Process "or #e'ular Pro'ress #eportin' to )ecutive *eadership. 0stablish a re ular schedule for reportin of campus "ro ram pro ress to the CISO( !he CISO 'ill revie' campus assessments and pro ress reports and deliver mana ement briefin s on a

1urther information about ISO +,,-- (ISO 2,000) and its use in security plans may be found at 22222( %

University of Colorado System /Jack McCoy, Ed.D., CISM, CIPP

re ular basis to the Security Advisory Committee (SAC)% 03ecutive Committee% "resident% and $oard of .e ents(
Notes: 6epartments should 'e responsi'le for reporting to the CIS0 on their progress with information security plans and initiatives%

Goal +: Inventory Sensitive Data and Pur'e ,nneeded Data. Initiate a data inventory process on each campus to identify sensitive data and ensure the data is appropriately protected( Sensitive data no lon er needed for business or archival purposes 'ill be promptly pur ed in accordance 'ith institutional archival policy( .emainin data 'ill be ade*uately protected% follo'in uidance from campus I! security officers and business o'ners(
Notes: 7hile goals 8 through 9 are designed to esta'lish a formal information security program) goal : is different in that it is designed to address a specific) yet pressing need: to +uic*ly reduce the amount of sensitive information that may 'e distri'uted throughout an institutions computing infrastructure% ,lthough the inventory process is typically a re+uirement of the policies in goal 8) oftentimes there is a considera'le amount of sensitive data distri'uted throughout the campus infrastructure% ;iven that many of our data 'reaches involve sensitive data that is outdated or no longer needed) a special effort to identify and remove unneeded data may 'e warranted on your campus%

University of Colorado System /Jack McCoy, Ed.D., CISM, CIPP

&