Security Management Plan: What Is It and Why Is It Needed?

View all blog posts under Articles

Security management plans keep mission critical networks safe.The California High-Speed Train Project is a massive undertaking that will connect all of the major metropolitan areas in California, from San Francisco Bay to San Diego, when it is completed. The train itself will be capable of traveling at speeds up to 220 mph. Much of the system will run on an Automatic Train Control system designed to cover all critical safety issues associated with a high-speed train, according to the project’s “Safety and Security Management Plan.”

California’s new high-speed trains would be carrying countless passengers at speeds that could result in a catastrophe if anything went wrong. The safety and information security management plan needs to address potential issues with seismic activity, excessive wind, train control and signaling, voice and data communications, and closed-circuit security camera systems. A failure at any one of these junctures could result in a collision or derailment.

Because so many mission-critical systems from hospital networks to traffic systems now operate online, emergency management degree programs are seeing more and more students enroll every year. Nearly every industry, especially essential services, needs personnel who understand security management thoroughly.

Essential Parts of a Security Management Plan

The first step in establishing a security management plan is to proceed from an all-inclusive safety, security, and emergency management definition. A formal plan (against anything from cyber security hacks to hurricane disaster relief), according to the National Center for State Courts’ “A Comprehensive Emergency Management Program,” should be composed of six parts:

  • Program management: Leadership capable of coordinating efforts both internally and externally (regulatory bodies) will be the ones who ultimately have to sign off on a security management plan and oversee the rest of the steps.
  • Prevention: Risk and vulnerability assessments, business impact analyses, and both personal and physical security considerations help a company or department to more effectively prevent security threats.
  • Preparedness: Procedures must be planned ahead of time and specify the steps a company should take in the event of a critical incident, including everything from evacuation plans to backup servers.
  • Response: When an incident takes place, contingent procedures need to begin immediately. IT and response teams will work through a checklist of responsibilities until the incident is over.
  • Recovery: After an incident, IT systems, voice and data communications, and business operations should resume their normal functions as soon as possible.
  • Training: Typically, even a great response has room for improvements before the next critical event. Training helps security management and response personnel see how they can better their performance. Also, as new technologies disrupt the security management industry, training programs can help incorporate the new tech into the plan.

Training is perhaps the most important aspect of a successful security management plan. Without it, other steps can be merely academic and might never be put into action.

“Management is responsible for supporting the [security] policy not only with its backing, but also by including policies and the backing for educating users on those policies,” explains veteran IT professional Roberta Bragg in her excerpt, “CISSP Security Management and Practices” on the Pearson IT Certification website. “Through security awareness training, users should know and understand their roles under the policies.”

Proactive Measures in Security Management

Perhaps the most common problem with safety, security, and emergency management (with particular emphasis on information security) is the tendency most organizations have to be reactive to critical incidents. IT personnel typically will study a hack after it has already been done in an attempt to prevent future attempts of the same type.

Wouldn’t predicting hacking attempts and trying to prevent them before they occur be more effective? Technology solutions and IT support company ConRes (Continental Resources) offers a series of proactive measures in “5 Steps for Creating a Proactive Security Plan” on its company blog:

  • Do frequent risk assessments: An effective risk assessment takes an inventory of a company’s assets and then analyzes the weaknesses and potential risks associated with each asset. And because assets and risks are in a constant state of flux, frequent assessments will help a company stay ahead of the hackers.
  • Teach best security practices: Non-IT personnel can be pretty naïve about cyber security. Hackers take advantage of this naïveté to access sensitive information within a company’s secure network. Educating employees on best practices (e.g., create strong passwords, don’t open suspicious emails) gives hackers fewer opportunities to hack a system.
  • Implement an Intrusion Prevention System (IPS): Unlike an Intrusion Detection System (IDS), which passively logs suspicious activity and flags it for analysis, an IPS analyzes activity by comparing recognizable signatures. If the activity is anomalous, the IPS will actively attempt to block the threat.
  • Always Install Updates and Patches: The vast majority of software and operating system updates and security patches are released in response to some new cyber security threat. Installing updates ensures that the system is protected against new vulnerabilities before hackers have a chance to exploit them.
  • Limit Employees’ Downloading Permissions: Malware disguised as legitimate programs or applications run rampant on the internet. Specifying ahead of time which applications can be downloaded on company equipment can proactively prevent malware installations and keep hackers out of sensitive networks.

Although ConRes’s 5 steps are tailored specifically to information security, they can be adjusted to any safety, security, or emergency management scenario. Professionals in the field should constantly be assessing risk, preventing threats, preparing for worst-case incidents, educating emergency and security personnel, and studying ways to increase safety and security in the future.

Eastern Kentucky University’s Master of Science in Safety, Security, and Emergency Management Program (MSSSEM)

Creating a safety management plan and putting it into effect within a company, organization, or government agency is one of the many critical responsibilities for which MSSSEM degree-holders are educated.

EKU offers courses in emergency planning and response, security management, homeland security, industrial safety, crisis response, fire safety, and intelligence analysis to students interested in taking one of our 3 MSSSEM concentrations: Occupational safety, emergency management, and homeland security.

Our fully accredited online emergency management degree program prepares students to sit for their Associate Safety and Health Manager (ASHM) certification and the Certified Safety and Health Manager (CSHM) exam. Those interested in learning more about EKU’s MSSSEM program should visit the program webpage today.

Recommended Reading:

How to Reduce Human Error and Increase Information Security

7 Essentials to Risk Identification

4 Security Management Jobs That Could Be Perfect for You

Sources:

California High-Speed Train – CA.gov

Emergency Management Program – National Center for State Courts

Security Management Planning – Pearson IT Certification

Proactive Security Plan – ConRes IT Solutions