The key steps in developing a security plan are:
Perform a risk assessment: an assessment of the risks and points of vulnerability.
Develop a security policy: a set of statements prioritizing the information risks, identifying acceptable risk targets and identifying the mechanisms for achieving these targets
Create an implementation plan: a plan that determines how you will translate the levels of acceptable risk into a set of tools, technologies, policies and procedures
Crate security team: the individuals who will be responsible for ongoing maintenance, audits and improvements.
Perform periodic security audits.