Describe a general plan of action for initiating a security policy, elaborating on each stage that might be undertaken.

What will be an ideal response?

First of all, the need for one must be appreciated, and there must be commitment on the part of
senior managers. Depending on course coverage, an IT security team may be formed to oversee
the development of the policy. They may decide on an information classification exercise for the
area under consideration, then carry out a risk analysis. Following on from this, the policy will be
prepared, specific responsibilities identified, and then standards and procedures formulated for
implementation. The whole process is iterative, the policy should be continually refined. Certain
aspects of the plan should be elaborated, such as, how information might be classified, how risk
analysis might be carried out, what the policy should cover.