An increasing number of sites are actually starting an IS security program/department/whatever (yay!).
In my opinion, to get the most "bang for your buck" (largest security yield for minimum cost) as well as providing the foundation that almost everything later will be built on is a review of the security plans, policies and procedures in existence with the 'modification' where things are found lacking and the creation of ones that no longer exist. (Since they are actually starting up, it is assumed that there is some kind of buy-in from 'the guys upstairs.' What are your impressions? -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566