Once you have established mission-focused relationships within your organization and have identified the highly sensitive information that the organization uses to operate, you should begin to analyze this information as it relates to organizational compliance requirements and your knowledge of the threats that the organization faces.
If your organization is responsible for oil refining, you may have a very different response to securing an information system than you would if you were a hospital and you were looking to secure a network-connected blood pressure machine.
References:
- Financial (FFIEC-IT): https://ithandbook.ffiec.gov/it-booklets/e-banking/risk-management-of-e-banking-activities/information-security-program/security-guidelines.aspx
- Retail (PCI-DSS): https://www.pcisecuritystandards.org/document_library
- HealthCare (HIPAA): https://www.hhs.gov/hipaa/for-professionals/index.html
- Defence (DFARS): http://www.acq.osd.mil/dpap/dars/dfarspgi/current/
- Energy (CIP): http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx