Security planning is the process of formulating necessary action plans, preventive and control measures, and other procedures to shore up an organization’s security base. It can be defined simply as the process of setting up programs, checks, and measures to protect a system or facility against unforeseen threats and hazards that can affect business operations, causing short-term and long-term loss of staff, assets, reputation, legal actions, and possibly the eventual crumbling of the business.

Security planning is very important because, in the event of a threat attack, it ensures that there is business continuity, ensures a return to normal business activities as soon as possible, prevents a loss of reputation and client’s/personal documents, and ensures that preparatory contingency plans are promptly deployed in case a threat is launched or perceived.

A good security plan will take the following into consideration:

These are areas that a threat, a risk, or a vulnerability can negatively impact. A robust security plan will take these into proper consideration. A security plan not only needs to identify the risks, but should also put in place a viable and practical process-driven implementation plan involving proper communication and engagement. One of the pitfalls of a failed security planning strategy is communication. By deciding “who” the target audience is, and “what” the key message to be articulated is (security planning in this case), and “when” the communication is to be engaged at each level, the plan can achieve the desired outcome, With these sorted out, the engagement of all stakeholders (from top management to the least technical personnel) makes a security plan viable.

Threat

A threat is a danger that can take advantage of a weakness in any system to bypass its security and cause harm, where the harm ranges from unauthorized access, elevation of privilege, disclosure, modification, destruction of information, and/or denial of service. A threat can be willfully instigated, which is also called an intentional threat, such as when an organized strategy is launched against the system by an individual or group; or a probability threat, also called an accidental threat, such as when a natural disaster or system malfunction occurs. A good example in this case would be hackers taking down a website and branding the whole website with their theme (as was the case with the website of a religious organization I worked with a few weeks ago. They put their skull logo and some European language all over the site). Others include data theft, which may include financial records or strategy information, among others, which may lead to the compromising of privacy and losses of other kinds. Security planning takes threats into consideration and plans to mitigate them.

Risk

This is the potential or likelihood, and even more so the probability, based on time, of something happening to a built system, either intentional or accidental, between now and an unspecified future time. Loss of data is a risk. Either intentional or accidental, it exists as a possibility. It should be prepared for because of the probability of its eventuality. Unavailability of the operating system and environment due to any circumstance is a risk. Unauthorized access of any kind is a risk.

Vulnerability

This is an inherent weakness in any system that can be taken advantage of to gain or repudiate access, modify data, or deny service, among others.

Steps to Security Planning

  • Prepare/Review Security Plan: The first step in security planning is to prepare a robust plan that is most suitable for use in the facility/system. It takes into consideration the type of facility/system, number of users, accessibility, what the system or facility is used for, types of threats the system is exposed to, etc. The security plan should also be reviewed and updated periodically to determine how to handle/deal with new threats.
  • Threat Assessment: This step
    considers the full range of threats that a system or facility is exposed to and evaluates the probability of occurrence of such threats to the system. Potential threats to a system include hackers, spywares, virus, Trojan horses, worms, adware, sabotage, document/identity/password/data theft, etc.
  • Risk Assessment: This is the process of identifying potential threats to evaluate the loss or damages that could be incurred if a threat is intentionally or accidentally launched. These losses include valuable business time, documents, system crash, loss of reputation, etc.

  • Vulnerability Assessment: This is usually carried out to determine how vulnerable a system or facility is to threats and the loopholes or weak links that a threat can exploit to enter a system/facility.
  • Preventive Measures: These are measures put in place to prevent a system form being attacked by a threat. Preventive measures include the use of passwords, access control, use of a firewall on the system/router at network level to prevent threats, the use updated antivirus/anti-spyware, routine system/data audit, etc.
  • Control Measures: These
    are threat control measures that are introduced to reduce the various levels of risks as well as the amount of damage suffered in event of threat attack. Control measures include isolating a threat to prevent it from spreading, the use of quarantine software, system shutdown, system rebuild, etc.

    Security Planning

Security Planning Table

Facility/

System

Threats

Risk

Vulnerability

Prevention

Control

PC/Laptop Theft, virus, Trojans, system crash, identity/data/financial records theft, worms, etc Moderate Medium
  • Access control
  • Data encryption
  • Use password
  • Backup data
  • USB guard software
  • Periodic system scan
  • Update antivirus/browser
  • Access control
  • Use/change password periodically
  • Safe mode
  • Antivirus
  • System format
Network Hackers, sabotage,
spyware, virus, Trojans
Severe/
High
High
  • Access control
  • Firewall
  • Staff vetting
  • System upgrade
  • Encryption
  • Access control
  • Individual/staff ID/password,
  • System/data audit
Cyber- Cafe Virus, hackers, system crash, worms, Trojans Moderate/High High
  • Access control
  • Firewall
  • Staff vetting
  • Use password
  • USB guard software
  • Periodic system scan
  • Update antivirus/browser
  • Access control
  • Individual/staff ID/password
  • Safe mode
  • Antivirus

Tips to Protect Your Computer from Threats

  • Install recent antivirus/anti-spyware software and update it regularly to prevent the system from being infected by malwares and programs such as viruses, worms, adware, Trojan horses, etc.
  • Personal/network firewall software should be installed and updated regularly to prevent unauthorized connections to the system/network.
  • Passwords that are fairly long and hard to guess and that contain various types of characters should be set for each user/staff member and changed at regular intervals.
  • Turn off the system when not in use. Systems that are always on are more prone to being infected, spied and hacked.
  • Back up important information to external storage devices periodically to prevent loss of data and other important documents in the event of a virus attack or system crash.
  • The system should be located in an area that can only be accessed by the owner or authorized personnel.
  • Ensure that only necessary software/programs are installed. Uninstall all unused or unneeded programs to free up more disk/memory space to enable the system run faster.
  • Update the operating system through automatic updates and enable its security options. Ensure that your operating system, programs, and installed software are still being supported by the vendor. Use of unsupported operating system or software can be harmful to the system.
  • Encrypt the network/data to prevent data theft.
  • Periodic system scans and disk defragmentation should be carried out to identify new bugs and improve system performance.
  • All USB devices should be scanned with updated antivirus software to detect and clear any potential malware.
  • Install an updated USB security guard.
  • Update your browser regularly and activate its security features.
  • Data/documents audit should be carried out regularly to ensure that all data is safe.
  • Electronic security gadgets, such as CCTV cameras, motion sensors, keycards, etc., should be used to monitor and control access to the facility.