This Guideline specifies steps that an organization can take to develop and implement and effective risk-based information asset protection program.
To protect its information assets, organizations should establish a formal IAP program appropriate to its size and type. To be effective, the program should be tailored to the organization’s strategy, mission, and operating environment. Additional factors such as the organization’s scope, risk tolerance, decision making protocols, business practices, regulatory environment, public image, interrelationships, and culture play an important role in how the IAP program is designed and implemented.