Assess your environment. What do you need to protect? What are you protecting against?
Understand priorities, budget, and available resources .
Perform a risk assessment and cost-benefit analysis.
Get management involved.
Set priorities for security.
Identify your security perimeter.
Develop a positive security policy. Circulate it to all users.
Ensure that authority is matched with responsibility.
Ensure that everything to be protected has an "owner."
Work to educate your users on good security practice.
Don't have different, less secure rules for top-level management.
Conduct a compliance audit.
Outsource when appropriate, but with great care.