Departments or units must review their environment and processes to determine how best to protect electronic information resources and information assets in their jurisdiction. As a result of the review, an information security plan must be developed that specifies effective strategies to strengthen information security.
A security review includes the following steps:
Information Security Plan
After completing the security review, the department or unit must develop an information security plan that identifies an acceptable level of risk and cost-effective strategies to address that risk consistent with their business goals and activities. The plan should outline the processes and controls that will be implemented to enhance security. The plan
The information security plan should be written in easily understood language as guidelines and procedures. It should be communicated to current departmental staff through meetings (it is essential that all staff participate), local Intranets or Web sites, manuals, or newsletters. Further, the plan must be communicated to new staff upon hire. The plan must be reviewed at least annually, and whenever changes occur in equipment or software, workflow, physical relocation, or assignment of new responsibilities.
