One the first steps in implementing an effective security plan is to periodically assess Organizational risks. Identifying and mitigating risk will help in establishing a security management structure and assigning security responsibilities. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. The risk assessment provides a baseline for implementing security plans to protect assets against threats. Within the risk assessment some basic questions must be answered, What assets within the organization need protection, What are the risks to each of these assets, How much time, effort, and money is the organization willing to spend to upgrade or obtain new adequate protection against these threats?
Developing an Effective Organization-wide Access Control Plan Because the management of security groups, ACLs, and security settings need to be careful planned, and creating an access control plan that could assist in preventing standard security problems from occurring. Standard security problems that want to prevent from occurring are: Inefficiently protecting network resources and assigning users too much rights and permissions, or too little rights and permissions to perform their daily tasks, or continuously performing ad hoc security configurations to correct security settings. Access control plan will include, Security Strategies: This component will outline general security strategies that deals with all possible threats identified as security risks.
Permissions will be given to different users according to their position in the Organization, and security groups should be defined so permissions can be implemented effectively. Security policies: Will determine the configuration settings implement for the Security Settings of Group Policy in Active Directory. Access control plan will also include Information Security Strategies: This component will detail the manner in which to implement information security solutions like encrypting file system (EFS), if applicable for the network. Administrative policies: This component involves detailing those policies for delegating administrative tasks, and should also include all auditing practices.