SAMPLE PROTECTION PLAN
The following is a sample protection plan for an organization. It should be customized to meet the requirements of the organization.
- System Description -- This should contain:
- The physical location of the equipment. For example, the Steam Whistle 3000 machine is located in room 941 (9th floor) of building 18 (S. Caesar Lane and A. E. Neumann Drive) in a technical area with limited access.
- Types of data and information -- For example, the SW-3000 processes data related to the production of widgets and personnel files.
- Classification level -- For example, the highest level classification of data or information that is to be processed is “B” level that is defined as Mandatory Control.
- Duration and Importance of MIS Activity -- For example, The requirement for the Steam Whistle -3000 to pro¬cess “B” level data will continue for an indefinite period.
- Equipment Location -- The majority of the hardware is located at the facility described in location 1.A; how¬ever, there are also disks on the eighth floor.
- Equipment Description by Name and Model Number -- self-explanatory
- Security Officers -- For Example
Security Officer Jim Frost 555-1212
Alternates Sue Bond 555-1312
Alternates Dee Jensen 555-0212
- Data Processing Terms -- The data processing terms used in this security plan are consistent with those appear¬ing in the company standards manual.
- System Integrity Study -- The integrity study will contain the access needs.
- MIS Security: This should include all aspects of system security such as access methods and user control. Additionally, risk analysis and audit review information should be considered in this portion of the study.
- Communications Security: This should include all aspects of communication security with the outside world. The Radio Frequency Interference (RFI) control requirements and network access precautions should be addressed in this portion of study.
- Information Security: This should include all aspects of the system security responsibility of each user and how the system keeps user infor¬ma¬tion separate. Details on projected percentage and level of information type should also be included. Finally, risk analysis and audit review information should be included in this portion of the study.
- Personnel Security: This should describe all day-to-day personnel security activities including who should have access to the system at all times.
- Physical Security: This should describe all physical barriers to access in the system, drawings, diagrams, and schematics of the system. In addition, risk analysis and audit review information should be included in this portion of the study.
- Contingency Plans: These plans should detail how the critical system functions will be performed if the system is not available. This should include full contingency plan/procedures, post-disaster recovery, and risk analysis.