This "how-to" guide presents general steps in understanding and identifying technology security vulnerabilities; developing and implementing controls that mitigate the identified security risks; creating and implementing a program that measures the effectiveness of these controls; and using the work done in the previous steps to develop and implement security policies for an agency. The first of seven chapters reviews features of a law enforcement leader's responsibilities for addressing security policies and risks. It discusses the nature of a security policy, identifies the risk factors to an information technology (IT) system, and explains how security policies control risk. This is followed by a chapter that presents the seven steps for organizing and charging the security policy development team. The four steps for conducting a security self-assessment are outlined in the next chapter. Another chapter reviews how to assess security risks, followed by a chapter that presents a step-by-step approach for developing a risk-mitigation strategy. A chapter on the measurement of security controls first defines "security measures" and then suggests how to develop and select measurement methods, before outlining seven steps for building an agency's security measures. The concluding chapter explains how to write an information security policy in six steps. Appended worksheets, a glossary of security terms, and a list of security resources