Implement policies and procedures to prevent data loss or theft There is no “one size fits all” solution to information security. The security controls should be designed to fit the risk and should be backed up by a robust set of policies and procedures and a well-trained user and staff base. The threat of data loss or theft is a risk to the organization. The organization typically will respond by conducting a risk analysis and then employ appropriate risk management strategies. A risk analysis is the identification of the risk and planning of a mitigation technique to manage the risk. Risk identification involves a systematic identification of all assets and a cataloging of vulnerabilities and threats against each asset. For example, the company’s Internet facing web site is vulnerable if it is not secured effectively in a DMZ and if the backend database is not stored on a redundant storage array. The associated threats include hackers modifying the web pages and dat