Let’s get real for a moment.
This saying exists for a reason “...it’s not IF but WHEN you will have a security incident
A few real-world experiences that will happen:
The first item that will be requested by both legal counsel and an Incident Response (IR) Investigator are your policies. Information security policies are to describe how the organization wants to protect its information assets. After policies are outlined, standards are defined to set the mandatory rules that will be used to implement the policies. Some policies can have multiple guidelines, which are recommendations as to how the policies can be implemented.
A mature security program requires the following policies and procedures:
Building and managing a security program is an effort that most organizations grow into overtime.