The guide presents general steps for achieving four objectives. First, it will help agencies understand and identify security "exposures" for their IT. Second, it will assist agencies in developing and implementing controls that will address identified security risks. Third, it guides agencies in creating and implementing a program for measuring the effectiveness of these security controls. Fourth, using the work done in the previous steps, this guide will help agencies develop and implement security policies. In presenting these four steps, the guide first provides an overview of security risk management, the importance of implementing an information-security policy, and the critical leadership role of managers in policy initiatives. It also suggests whom to involve in the security project and how to develop the Security Policy Development Team. The four key phases of the information technology security development and implementation process are then explained. The first phase involves learning how to conduct a self-assessment, which provides a status report on the current security system. The second phase is a risk assessment that determines security vulnerabilities in the IT systems, using findings from the self-assessment. Phase II involves learning how to develop and implement security controls in order to mitigate identified risks. The final phase is the development and implementation of an ongoing measurement process that ensures the controls are effective. A hands-on process for writing information-security policies is included. Appended sample tools, a glossary of security terms, and a listing of security resources