After a Security Audit: How to create a Cyber Security Action Plan

November 27th, 2019
After a Security Audit: How to create a Cyber Security Action Plan

Once you’ve carried out your security audit, you’ll need a cyber security action plan. This needs to be clearly documented and stored somewhere central so that everyone who needs to see it can access it.

Put the plan together as soon as you can, so you can start implementing any changes that were flagged up during the audit. We’ve put together a list of things to help you get started.

Why you need an action plan

Your security audit will probably have flagged up several things for you to review in order to secure your IT infrastructure, and you need a plan so you can take action to resolve any issues.

Have the report produced by whoever carried out your security audit to hand when you create the action plan, so you don’t miss anything out. Or if you can work with the person who created the report to create the plan.

The report will highlight where there are any cyber risks and should give you information on how to improve your mitigations.

Things to think about

1. Prioritise based on risk

Look at what immediately needs to change; do you have a service open to the internet that needs to be locked down for instance?

Related: Why is a cyber security risk assessment so important for SME's?

2. Consider Impact

Before rushing off to implement all the things you’ve found to be insecure, consider the impact on the business and users. Enabling 2fa on everything? Do all users have a mobile phone for example?

3. Single point of failure

Your security audit should have flagged up any points of failure. The term refers to any part of your IT system which would cause the entire system to fail if it is compromised or fails itself.

What are the implications to your business if this happens? Include the single point of failure in your action plan.

4. Business continuity

Include in your action plan how you’ll ensure your business will keep running if there is a security breach. What steps do you need to take now to ensure business as usual? Think about any staff requirements as well.

Related: How to recover from a cyber security breach

5. Data storage

Where is your data currently stored? The security audit will have alerted the team if your sensitive information isn’t properly stored, for example, if you’re relying on public cloud storage that isn’t correctly protected.

Include a step to review your data storage options and how (and how quickly) you can restore it in the event of a breach.

6. Policies

Technical measures are important but they should be backed up with solid policies and procedures. Who is going to create and own them?

7. Key staff members

Who are the key employees who will implement the changes highlighted by the security audit and listed in your action plan? Do they need to report to anybody? This is also a good opportunity to identify the staff who will deal with a cyber security incident if it happens.

8. Training

When implementing changes, ensure you make users aware of the changes, what impact they have, why you’re doing them and how they can support you to protect the business. Then continue to train them on the risks.

9. Communication

Think about how you will communicate with staff, internally, if there’s a problem, and how they will communicate with each other. If you don’t have a clear system in place, add that to your action plan.

Do you need to inform any clients if there is a security breach? Who are they? Similarly, do you need to contact suppliers and partners – this is especially important if you’re part of a supply chain. Make sure you’ve got up to date contact details.

10. Ongoing monitoring

The company which carried out your security audit will probably offer ongoing monitoring. This is really important, so include reviewing the options in your action plan.

A good IT partner will be able to monitor your systems to reduce the possibility of a cyber-attack, make sure everything is up to date and help protect you from new threats as they arise.

 

Think your company needs a cyber security audit, or need help creating your action plan? We're here to help, just get in touch.