Security Planning (from NIST)
This security planning list and description are meant to tie security planning to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Security planning policy and procedures - The organization creates and maintains a security policy and procedures which cover roles, responsibilities, scope, and compliance. The security policy and plan should cover all aspects of security for the organization including systems security, network security, and physical security. The plan should be modified as conditions and technologies change. (low)
- System security plan - A security plan is developed for each system providing an overview of the controls and the risks associated with the system. The plan is reviewed and approved by designated officials. (low)
- System security plan update - System security plans are reviewed and updated either periodically or when modifications or new threats to the system warrant it. (low)
- Rules of behavior - The responsibilities and expected behavior is communicated to all computer users usually through a computer systems appropriate use policy. The policy should cover inappropriate use regarding non-business but should all cover use that may provide a security risk such as use of wireless equipment, creation of a different connection to the internet, use of file sharing programs, instant messaging, and other non-secure uses. The users should sign a form stating that they have read the policy and agree to abide by it. (low)
- Privacy impact assessment - A privacy impact assessment is conducted on the computer system. (low)