1. Identify and locate your assets. Assess the importance of both information and material goods. Example: A computer may cost $3,000 to replace. The information on that computer might cost $60,000 to replace.
2. Perform a threat risk assessment. Categorize the likelihood of assets being stolen and the resulting damage. So, if a company has a public Web server, the cost of it going down from a denial-of-service attack might be the time required to bring the system back online - lets say, two hours from the IT department. If this Web server is used to perform financial transactions, then the cost must also include the number of purchases lost while the server is down.
3. Adopt a "need-to-know" philosophy. The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password - e.g., he uses one password for all systems - it can be misused.
4. Perform an informal site survey of your organization. You can either relocate valuable assets to more secure areas or take extra measures - additional locks, smart cards, security personnel, etc. - to guard these assets.
5. Institute a standard for classifying all information. An advertising plan might be restricted to specific people in the marketing and business development departments. An engineering document that details trade secrets would be restricted to specific engineers.
6. Ascertain who needs access to external resources. This is an extension of the need-to-know philosophy. Although cumbersome, it may be necessary to adopt strict policies regarding the use of the Web and the downloading of third-party software from unknown sites.
7. Create a disaster recovery plan. Pick a worst-case situation - usually such plans assume the building has burned down - and consider how you will stay in business and service your customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.
8. Appoint someone to be responsible for security policy enforcement. This can be one person or a group of individuals.
9. Review the impact of any intended procedural changes on your employees. Will they be capable of shutting off alarm systems, changing passwords every month, locking their drawers every night and using password-enabled systems?
10. Understand that the implementation of any security policy needs regular validation. Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies.
SOURCE: Queensland University of Technology (http://athena.fit.qut.edu).