- Overall objective of your organisational security plan : Identify and develop clear approach to addressing priorities, define scope, establish consensus/enthusiasm/commitment, overall timeline, and realistic expectations for the next engagement.
- Scope: Includes domains of focus (info management, hosting, communications, etc)
- Expected results: Sets objectives for the engagement and plots it on a realistic timeline (even if it leaves things vaguer if they are further into the future)
- Objective
- Clarify end goals so that the road map is going in the right direction
- Ensure everyone is working towards the same end goal
- Instrument to evaluate regularly if everything/one is on the same page & track
- Scope
- Expectations
- Expected Results (with metrics)
- Resources
- Timelines / Roadmap
- Identification of priorities
- Resources allocated
- Realistic timeline/deadlines that takes org's competing priorities into account
- Who is responsible for each role/activity (based on organigram)
- Integration into organizational workflow
- Conformity management
- Consensus
- It helps to have a working gantt chart.
- Priorities
- Present the results of your learnings from the discovery phase to kickstart this planning process with the organisation. This will help you achieve:
- Developing clear messaging and priority areas
- Tell a compelling story about where the gaps are and why you should care
- Build trust and show that you understand the organization
- Training where necessary to inform and lay the ground work for the presentation
- Present the plan to the organization when it is finalized. This will help you:
- Receive organization wide input for final tweaks to road map
- Get buy-in for the start of the actualization and roll-out
- Requires full buy in and collaborative approach in creating the plan
- Recognize that it does need to fit in wider project management approach
- Easiness to use of whatever tool is used to create/share plan (wiki, pad, git, forum), this is part of wider challenge on how to create responsive communication channels
- Clarity about what is in the plan: headlines, milestones, identifying responsibilities, dates, names
- Periodical check-in with security committee/champion
- It is your responsibility to ensure that those who need to know about a plan and how to contribute it, can do this (e.g. just sending to a focal point may not be enough, if they do not distribute, or know that it is part of what you expect from them)
- Pro-actively communicate upcoming milestones and deadlines - avoid the situation of attributing guilt after missing deadline, or mediocre catching up just before the deadline
- Use visuals to highlight key aspects: who does what, what requires organisation's input
- Adjust plan to the audience and what they need to act on, consider different versions for: top management, security committee, staff
¶ Change and adjust plans
- Plans always change, and it is important to change them
- A plan that is never changed is either not followed, or not responsive to an organisation
- Changes respond to an ongoing evaluation of the actualising; reasons could be resistance to changes proposed (workflows, tools), realisation of errors in risk assessment or prioritisation, new high priority risks arise, change of your (evaluation of) capacity to support, loosing internal or external allies
- See the communication of changes as in the spirit of a living document