The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

IWC's Infosec Tactical Plan

A tactical plan is a short-range plan (3-year plan) which supports the IWC CIAPP and InfoSec functional goals and objectives (Figure 6.3). The InfoSec Tactical Plan (ITP) should:

• Identify and define, in more detail, the vision of a comprehensive InfoSec environment, as stated in the ISSSP;

• Identify and define the current IWC InfoSec environment; and

• Identify the process to be used to determine the differences between the two.

Figure 6.3: An example of mapping from the IWC Strategic Business Plan through the ITP in support of the IWC Tactical Business Plan.

Once that is accomplished, the ISSO can identify projects to progress from the current IWC InfoSec environment to where it should be, as stated in the ISSSP. In the ITP, it is also important to keep in mind:

• The company's business direction;

• The customers' direction; and

• The direction of technology.

Once that is established, the individual projects can be identified and implemented, beginning with the InfoSec Annual Plan (IAP).

The IWC Tactical Business Plan stated, "In addition, it is expected to be able to integrate new hardware, software, networks, etc., with minimum impact on schedules or costs." Therefore, it will be necessary to establish a project with the objective of developing a process to accomplish that goal.

The ISSO must then also consider that the IWC CIAPP must contain processes to reevaluate the mechanisms used to protect information so that it is only protected for the period required. Therefore, a project must be established to accomplish that goal.

The IWC Tactical Business Plan also called for the completion of an InfoSec program that can protect IWC's information while allowing access to its networks by its international and national customers, subcontractors, and suppliers. Therefore, another project that must be developed is one that can accomplish this goal.

Writing the InfoSec Tactical Plan

Writing the ITP should be somewhat easier based on the experience gained in mapping the goals for the ISSSP and ITP and writing the ISSSP. Once that is accomplished, the ISSO will write the ITP following the standard IWC format for plan writing.

The IWC format was determined to be as follows:

1. Executive Summary

2. Table of Contents

3. Introduction

4. InfoSec Strategic Goals

5. How the InfoSec Tactics Support the ISSSP

6. How the InfoSec Tactics Support IWC Tactics

7. Mapping Charts

8. Conclusion