IASAP Document (Information Assurance and Security Action Plan Document)

Objective: To produce the Information Assurance and Security Action Plan document; this serves as foundation for the deployment of recommended actions and development of the security plans.

Approval of the SEIS report from top management explicitly entails agreement to then develop the IASAP document (Information Assurance and Security Action Plan), tackling each one of the actions proposed in the SEIS report in detail.

Information is one of the most important assets for the organisation. Like other resources, it has great value and therefore needs to be properly protected. The objective of information security is to protect it from a wide range of threats, in order to guarantee the continuity of the organization's activities, minimize information damage and maximise the return on investments and opportunities. This is done following the principles of confidentiality (guaranteeing that information should be accessible only by authorized personnel), integrity (protecting the accuracy and total amount of information, and its processing mechanisms) and availability (ensuring information, and associate resources, access to authorised users whenever they need it).

The security of information is the result of the implementation of adequate controls and security measures that encompass policies, procedures, practices, organizational structures and software functions, among others. The design or development of many information systems does not consider adequate security requirements. In compensation for the limitations of technical security measures, there is a need for adequate procedures and management supported by every employee of the organisation and even suppliers, users and/or customers, in some cases.

It is essential for the organization to identify its security requirements through an evaluation of the risks. It also needs to identify the legal, normative, statutory and contractual requirements as well as the objectives and requirements of information processing needed to support its operations.

Once identified the security requirements, the security measures and actions selected in the SEIS report are developed in detail in the IASAP document. This document includes required resources for the planning, implementation and economic assessment of those actions to reduce risk to an acceptable level.

The IASAP document is actually the organization's Information Security Action Plan. It includes an integral plan of the deployment of identified actions so deadlines and milestones can be established to achieve different objectives: organizational, departmental, and even personal. For each of the actions, at least the following information is needed:

  • Technical (and organizational where required) development of the action in detail.
  • Detailed planning of each action, including time frames and deployment plan (short, medium or long term)
  • Identification of required human resources, stating whether they are internal or external.
  • Economic assessment where possible (in both internal actions and actions carried out by external contractors)
  • Suppliers quotes in tasks where external support is needed.

The actions to include in the IASAP document depend on the security measures already deployed by the organization and the degree of penetration of information security within the organizational culture. Some of the usual tasks include:

  • Improvement of organizational structures (creation of a security committee, allocation of responsibilities).
  • Possible outsourcing of some IT functions.
  • Development and distribution of security policies and associated procedures.
  • Improvements in systems and the data centre.
  • Improvements in the security of network devices (wireless networks, WAN, LAN).
  • Vulnerability assessment.
  • Development of business continuity process.
  • Risk analysis.
  • Development of IT contingency plan.
  • Training plan.
  • Others.

In some cases it is necessary to seek the support of external experts on specific areas, or supplier quotes to calculate the human and economic resources of some of the required actions.