Watch this video on YouTube
What should an organization without a formal information security program do first when implementing best practices?