In 2020 the U.S. SEC released new guidance on disclosure obligations related to cybersecurity risks and incidents. For companies that experience a material data breach, the fallout can include not only significant financial damages, but also reputational harm and diminished shareholder value.

In light of these risks, it’s more important than ever for businesses to have a comprehensive system security plan (SSP) in place. But what exactly is an SSP? In this article, we’ll answer that question and explore some of the key components of an effective SSP.

An SSP is a document that outlines a company’s strategy for managing its cybersecurity risks. The plan should detail the specific steps the company will take to protect its information systems from attack or unauthorized access.

At a minimum, an system security plan should address the following topics:

• Information security policy: This should be a high-level statement from management about the importance of information security and the company’s commitment to protecting its data and systems.
  
• Risk assessment: The SSP should include an assessment of the company’s specific cybersecurity risks, including both internal and external threats.
  
• Risk mitigation: The system security plan should describe the specific steps that will be taken to mitigate identified risks, such as implementing security controls or increasing employee awareness training.
  
• Incident response: The SSP should outline the steps that will be taken in the event of a security incident, such as notifying law enforcement or launching a public relations campaign.
  
• Monitoring and review: The SSP should detail how the company will monitor its cybersecurity posture and review the effectiveness of its security controls on a regular basis.
  
• Documentation: The SSP should include all relevant documentation, such as network diagrams, user manuals, and contact information for key personnel.
  
• Training: The SSP should identify the training that will be required for employees who have access to critical data or systems. For example, all staff should receive basic cybersecurity awareness training, while those with more sensitive access may need more specialized training.
  
• Change management: The SSP should describe how changes to the company’s information systems will be managed in a way that doesn’t jeopardize security.
  

A system security plan is an important tool for managing cybersecurity risks, but it’s only one part of a broader risk management strategy. Companies should also consider implementing other measures, such as incident response plans and data loss prevention programs.

When developing an SSP, companies should consult with cybersecurity experts to ensure that their plan is comprehensive and effective. Cybersecurity is an evolving field, and your SSP should be reviewed and updated on a regular basis to reflect any changes in the threat landscape or your company’s business operations.

If you’re not sure where to start, there are many resources available to help you develop a system security plan, including the National Institute of Standards and Technology’s Cybersecurity Framework and the SANS Institute’s Critical Security Controls.