Policies and procedures are at the root of every successful security program. Wherever possible, ICS-specific security policies and procedures should be integrated with existing operational/management policies and procedures. Policies and procedures help ensure that security protection is both consistent and current to protect against evolving threats. After an initial security risk analysis has been performed, the information security manager should examine chosen recommended security policies to see if they adequately address the risks to the ICS and to see if they properly cover the company's chosen risk tolerance. Tier 1 management is responsible for developing and communicating the ...