Develop A Network Security Plan In 8 Steps

Contents

There are 8 steps to developing and implementing an effective network security plan include:

  1. Understanding your business model.
  2. Performing a threat assessment.
  3. Develop IT security policies and procedures.
  4. Creating a “security-first” company culture.
  5. Defining incident response.
  6. Implementing security controls.
  7. Working with a virtual CISO (vCISO).
  8. Maintaining security for the future.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

What Is A Network Security Plan?

A network security plan is a strategy that defines the approach and techniques used to protect the network from unauthorized users and guards against events that can jeopardize or compromise a system’s security.

The approach and techniques used by an organization may consist of creating security policies and procedures that describe how an organization intends to meet the security requirements for its systems.

what is a network security plan

The security plan is a living document, that is, it requires reviews or maintenance at specified intervals to ensure it is current and up to date with regulatory requirements or major changes in the topology of the network.

The governance and maintenance of the network security plan varies from one organization to the next. Many medium to large companies may have a CISO or ISO, Security Manager, Security Director, or Manager of Compliance/Risk.

An SMB may have one individual wearing multiple hats at the managerial level.

Regardless of your organization’s Information Technology hierarchy, the oversight of the security plan should be managed by members of the organization who can effectively communicate the policy content to the end users.

Why Is A Network Security Plan Is Important?

Due to the growing threat of hackers continuously probing the Internet for networks to exploit, a network security plan is important to protect the infrastructure from unauthorized access, misuse, destruction, or loss of corporate reputation.

If an organization views a network security plan as a mere checkoff to satisfy a compliance audit requirement, this is a recipe for disaster. This short-sighted approach may lead to long-term issue.

For example, a successful phishing attack may install ransomware on an outdated computer on the network. Minutes later, it moves laterally to other machines on the network and onto the email systems.

In a short period, the network is crippled, and the business must decide to pay the ransom or figure out methods to stop the attack by hiring an expensive security consulting firm.

A well-designed and strategic network security plan will have controls in place to proactively prevent attacks and save the organization from this negative experience.

Read more: How To Prevent Ransomware Attacks

how to create and implement a network security plan

Steps Planning For A Secure Network

Securing a network requires a complex combination of hardware devices, such as:

Deciding which component to purchase, implement, and support requires individuals with a certain level of expertise. The resources mentioned above along with budgetary limits as set forth by corporate leadership require careful planning and cost analysis to ensure a return on investment.

These factors must be considered as you plan to secure your network. But what is the actual starting point? In the next section, we will provide the basic steps of how you can create an effective security plan for your organization.

Step 1: Understand Your Business Model

Identify the crown jewels - DLP Best PracticesThe first step in developing a network security plan is to know what it is you are planning to secure. You must know what the crown jewels are of your organization, where it resides, and how the business produces revenue.

Your executive leadership will have this information and provide the goals for the business as set forth by the board of directors.

Step 2: Perform A Threat Assessment

Once you understand the business model of your organization, it is now time to understand the assets, systems, and resources that are active on your network.

This information will be used to conduct a threat assessment.

The threat assessment is usually performed by a third party. This assessment may take a few weeks or even longer depending on the breadth of your environment.

The objective of the goal regardless of the timeframe to complete is to provide you with a report of the following information:

  • Identify and classify any security holes in the network
  • Identify weaknesses and vulnerabilities that could be exploited, such as weak passwords or default passwords used in critical systems.
  • Identify network security vulnerabilities in application, file, and database servers to determine patch levels.
  • Audit encryption settings on critical systems.
  • Test the viability of network defenders to detect and respond to attacks.
  • Provide evidence to support increased IT investments or network security.

The teams involved usually in this stage of the plan will include members from the Network, InfoSec, Database, and Server teams. These teams may be called upon to provide access to systems to perform a comprehensive audit of the environment.

The cost associated with hiring a third-party threat assessor will vary, dependent upon size and scope of your organization.

In general terms, the cost for a threat assessment may start at 10,000 according to one vendor. This cost may cover the third party’s billable hours, number of engineers allotted to project, dedicated project manager, and reporting cost.

The internal infrastructure of the organization in most cases provides the access required for the assessor to logon to a resource, such as Active Directory. If the threat assessment involves a vulnerability or penetration test, the assessor will utilize their tool sets of choice.

Once the Threat Assessment is complete, the assessor will create a detailed report specifying vulnerabilities detected and remediation recommendations based on the severity of the findings.

The vulnerability remediation effort may require an update to an existing application or device or recommend the purchase of new equipment.

Whichever the case, the report should provide an overview of the organization’s infrastructure and how well they are protected from insider or external threats.

With this information in hand, the Security leader will undertake a review of the organization’s security policies to determine if they align with best practices and any compliance requirements for the business.

The next step will highlight the characteristics and what to include in a network security policy.

Step 3: Develop IT Security Policies And Procedures

The results of the threat assessment can be used to create or expand the current version of policies and procedures.

From my experience and perhaps at your company, you may have one general Information Security Policy, and other sub or specific policies which support the primary policy.

For example, your organization may have a separate policy for Passwords, Mobile Devices, VPN, Social Media, Internet Usage, or a Clean Desk Policy.

There is not a hard-fast rule on the number of policies to create, however, they should be visible and written in terms that the average user in your environment can comprehend.

The link below provides a few samples of security-related policies that you can reference for your organization.

The policy templates listed in the above article are short, concise, and easy to understand. The composition of the policy content is generally governed by the Security Leadership (CISO, Information Security Officer, Security Director) in partnership with Compliance and Legal Department approval.

Once the policy content has been thoroughly processed and reviewed, executive leadership will provide the final approval for distribution into the corporate infrastructure.

This high-level or ‘top-down’ approach informs the employees that the policies and procedures have been approved at the highest level of the organization and must be adhered to by each employee.

For this reason, new employee orientation and onboarding consist of validating that they have acknowledged and agree to the policies of the organization.

This approach not only creates an atmosphere of accountability for the new employee from day one, but it also results in a ‘Security-First’ culture for the company. Let us expound on this in the next step.

What Is Security Awareness Training

Step 4: Create A “Security-First” Company Culture

To cultivate a strong security-first culture at your organization, regular security awareness training is imperative.

The average employee may not recall the exact wording of the core security policy for their organization when they were initially onboarded as a new hire. They also may not recall the location of the security policies.

Security awareness training and periodic phishing campaigns are created to remind the employees of the security policy and how to respond to old and new security threats.

October is Cybersecurity Awareness Month, which is an ideal time for organizations to send security policy reminders and tips to their employers via email, signs, or posters.

When your organization’s leadership is diligent in creating or improving its security culture, there is great benefit. This proactive approach to security increases security awareness.

It can also assist in identifying persons inside the organization who purposely ignore the policies and desire to damage (theft of sensitive data/intellectual property, disruption to productivity) the business.

A corporate hotline to anonymously report compliance violations should be included in the organization’s security awareness program.

Despite the efforts in creating and improving the security culture of the organization, there will be events within the organization that challenge the confidentiality, integrity, and availability of the company resources.

Let us learn more about this in the next step.

Step 5: Define Incident Response

Define incident response and remediation - - DLP Best PracticesIncident response is a critical component of the network security plan.

Threat actors have the goal of disrupting the operation of businesses around the world including your organization. 

Around the clock, these characters are searching for methods to infiltrate your network with the intent of installing ransomware, by way of phishing, and other social engineering techniques.

On top of the threats from unknown actors in the wild, there is the risk of insider threat. A disgruntled employee may have a grievance and may attempt to expose sensitive data, or an employee may perform an unintended action that results in data loss.

The good news is that there is technology available to thwart these attacks. There are firewalls, network segmentation, endpoint malware protection, and security awareness programs.

Regardless of how well a corporation has developed and matures its cybersecurity strategy, this does not remove the probability of an incident from occurring.

A simple click on a link from an email can be disastrous – it only takes one bad decision to impact the network. 

  • Who should be contacted when an incident occurs?
  • What if the IT managers are on vacation? 
  • Our building was destroyed, where is the Incident response plan? 
  • A hacker gained access to our accounting database, what should we do?

Incident response answers these questions.

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyber attack. The goal of incident response is to handle the situation in a way that limits damage and reduces recovery time and costs.

To reduce the lifecycle of a discovered incident, the incident response plan facilitates rapid handling. The plan provides information on who the members of the Incident Response Team are and their assigned duties.

Within the plan, there is a call tree that helps the incident handler facilitate the process – document the incident timeline, assemble the relevant team members, and provide the proper notification of the event and status to senior leadership.

After the incident, the plan outlines lessons learned from the attack which helps the team understand how the incident occurred and methods to prevent repeating the incident in the future.

Step 6: Implement Security Controls

what are security controlsIt is great for your organization to have solid, professionally written policies describing what should be done.

This is a serious must-have, however, there should be tools and controls implemented in the environment to support the policy statements, or else, the policies are just words.

There are several security control frameworks available that can be used as a reference to establish your security controls.

These frameworks provide direction on how to secure firewalls and implement secure Operating System best practices, Password best practices, and other security initiatives.

Common Frameworks available in the industry are:

  • NIST National Institute of Standards and Technology.
  • ISO/IEC 27001 International Organization for Standardization/International Electrotechnical Commission.
  • CIS Center for Internet Security.
  • PCI DSS Payment Card Industry Data Security Standard.
  • CMMC Cybersecurity Maturity Model Certification.

The common theme in the listed frameworks is to build secure networks. I highly encourage you to review each framework to determine if it aligns with your current business model.

If there is not a requirement to adopt the full set of controls in each framework, at a minimum utilize the framework control recommendations to meet best practices for specific areas that align with your network, such as the firewall requirements listed in the NIST framework as an example.

Achieving the requirements listed in any of the frameworks requires resources and expertise. If your organization is lacking in this area, help is available.

Step 7: Work With A Virtual CISO

Working with a virtual CISO (vCISO) is a strategic decision for small businesses to strengthen their security posture. 

vCISOs deliver high trust and deep experience, bringing a broad range of proficiencies and historical knowledge across industries. 

A key responsibility of a vCISO is to design and implement effective response plans, ensuring that they are regularly reviewed and tested for readiness against security incidents, such as ransomware.

By collaborating with internal security teams, a vCISO provides insights into cybersecurity risks and enables management to make informed, data-driven decisions.  

In addition, a vCISO is a cost-effective resource, fulfilling security leadership roles without the administrative hurdles and costs of hiring a full-time employee

Step 8: Maintain Security for The Future

Once the Network Security Plan has been documented, communicated to executive leadership, and security controls have been implemented to support the plan, your organization is heading in the right direction of laying the groundwork for an effective and sustainable security culture.

There may be pain points along the way, since adopting a change in corporate culture may not be well received by all members of the organization.

It is essential for executive leadership to support the culture, which in turn will set the tone for the rest of the organization.

To ensure the entire organization is in tune with the security culture, various roles and resources are required to orderly move the culture along.

Most medium to large organizations have various roles in place to oversee the Information Technology and cybersecurity program of the organization and help sustain the culture.

A sample list of roles is listed here:

  • Chief Information Security Officer (CISO)
  • Information Security Officer (ISO)
  • Chief Information Officer (CIO)
  • Director of Security
  • Security Manager
  • Compliance Risk Manager

The individuals assigned to these roles should make it a practice to engage with other non-technical business leaders representing Finance, Legal, Human Resources, and Marketing.

Regular communication with these teams will help the organization understand that security is an integral part of the business culture that all employees should support.

Security leaders should meet quarterly to review the state of the security program to assess gaps in processes, tools, or review security awareness training. An overall review of the network security plan should also be conducted on an annual basis as well.

Conclusion

A Network Security Plan provides the roadmap for your organization to operate safely and securely.

Development of the plan requires a thorough understanding of the business and support from executive leadership.

The plan should be deliberate, enforceable, understandable, educating all employers to want to do the right thing for security.

By following the suggestions provided in this article, you can create a successful network security plan and develop a sustainable security culture that will provide lasting benefits for your organization.

Article by

Picture of Michael Swanagan, CISSP
Michael Swanagan, CISSP
Michael is an Information Security Professional with 15 years of proven experience. He has experience leading and supporting security projects and initiatives in the healthcare, finance, and advertising industry.

Related Content

Picture of Michael Swanagan, CISSP
Michael Swanagan, CISSP
Michael is an Information Security Professional with 15 years of proven experience. He has experience leading and supporting security projects and initiatives in the healthcare, finance, and advertising industry.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

.

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.