The objective of computer security planning is to protect information assets (i.e., information and information resources). Plans that adequately protect information assets require managers and information owners – directly affected by and interested in the information and/or processing capabilities – to be convinced that their information assets are adequately protected from loss, misuse, unauthorized access or modification, unavailability, or undetected activities.

The system security plan provides a basic overview of the security and privacy requirements of the subject system and the organization’s plan for meeting those requirements. The system security plan is also perceived as way of documenting the structured process of planning adequate, cost-effective security protection for a system. Consequently, the security plan should reflect input from various managers with responsibilities concerning the system, including functional end-users or information owners, system operations, and system security manager.

Each security plan should have four basic sections: System/Subsystem Identification, Sensitivity of Information, System Security Measures, and a section for Additional Comments (e.g., special conditions, exemptions, etc.).

The remainder of this document or template contains a description of the scope, content, and format of each of the four sections.

Using the formats described in the links below, the author of the security plan must document – and where applicable, show evidence – how the information asset and its processes are or will be protected. It is the responsibility of the designated security representative in conjunction with the system or information owner to determine whether the security plan meets established requirements.