Now that you have completed the activity of information categorization, found your organizational information assets, discovered where your organizational information is located within the information system, organized your information into discrete protection categories, and assigned a dollar value to your information you are in an excellent position to begin establishing the security controls necessary to protect your organization's information. You have worked with the business and IT teams to establish the importance of the data within your organization. You can use this information to architect the needed security controls for the information system.

Prior to establishing the security controls for your information systems, you must look at your organization's regulatory and compliance requirements to make sure that you are building a security framework that ensures you are complying.

As you are in the process of building your organization's framework you should review the security frameworks that are already in existence:

• Many of the frameworks exist to solve a compliance requirement. Using these frameworks will help to make sure you are going in the right direction.
• Thousands of combined hours have gone into developing these security frameworks. It does not make any sense for you to start from scratch. Benefit yourself and your organization by utilizing one or more of these excellent security frameworks.
• Based on my experience, I recommend the use of the NIST Framework:
  • Map the NIST Framework to any other specific compliance requirements as needed based on your organizational compliance needs.