We haven’t the time to take our time.

Eugene Ionesco, 1912–1994

When organizations first recognize that they need to ensure that the information assets of the organization are adequately protected, this usually results in asking the question, “What applicable policies are in place?” There may be some human resource policies that might apply or corporate policies noted in the ethics and compliance code of conduct, however, these are normally insufficient to address the breadth of the information security needs. The next step is for the organization to embark upon the time-consuming task of developing information security policies.