Define What You Have

Most organizations have some basic security measures, even if they are only informal activities. The current status of the security procedures must be evaluated, not only for their effectiveness but also for their applicability to the areas that the risk analysis has determined to be important. It needs to be determined if they appropriately address the areas of security that are most important to the organization. Evaluation of the effectiveness of current processes requires analysis of the procedures and testing of the practices.

Policies and Procedures

All organizations have security policies and procedures, even if they have no written security policies and procedures. There are policies in other groups outside the information technology group , such as human resources, which have security aspects. They will define acceptable and unacceptable behavior and how to handle employees who are in violation of the policies. These are a great starting point in developing security-specific policies.

The information technology department will have procedures which pertain to security. It will have data handling procedures for backup and recovery and processes for adding new users and other activities which involve security. These practices will need to be evaluated and incorporated into written security policy and procedures.

The organization's policies which are already in place will need to be examined to determine how they can be applied to information security or how to draft new policies that follow them. Often an organization's employee personnel policies and physical security policies can directly apply or be broadened to encompass information security.