Everyone knows that information security isn’t something that can be ignored. Most people are doing something about it. But how do you know if you’re focusing on the right things, and where your gaps are? Is your focus based on a checklist your CIO read in a magazine? The key to a successful information security program is organization and documentation, the less fun but still vital part of information security. In this presentation I plan on outlining the steps to setting up a formal information security program and identifying gaps for current programs. - Creating the main framework document & what should be in it - What to do when your boss gives you a security checklist he read in a magazine. - Strategies on selecting a security framework SANS Top 20, NIST, ISO 27001, Cyber Essentials - Establishing a security council - IR plan & template - Policies - Change management - Vulnerability management