It is ideal to look at your security program from a “blue ocean” perspective, where there is nothing else in place. At this point, you should have a list of vulnerabilities that need to be addressed. You should then examine each vulnerability and information source and determine the appropriate countermeasures to mitigate each vulnerability, realizing that some vulnerabilities may not be mitigated because it is not practical to do so. The countermeasures can implement protection, detection, or reaction. Multiple countermeasures may be appropriate.

After you have completed this exercise, it is time to do a sanity check. You need to ensure that there is a cost/benefit analysis of your ...