The process of implementing a security program all starts with senior management laying down a collection of relatively high-level statements in policy documents that initially define the governance structure for the organization. Then a risk assessment is performed to understand where the most critical assets are and where the most dangerous risks are. Acting on the information, more like the vision, developed from the risk assessment, administrative, technical, and physical security controls are selected by management to implement safety and security within the organization.

The ongoing implementation of that safety and security within the organization is the security program. Understood through ongoing assessments, ...