Formulate the rules that will become the standard for security measures of the target system. Additionally, prescribe penalties for security violations. For example, formulate rules and penalties as below:

• Rules

  • Applying security patches and update programs

  • Prohibiting unauthorized acquisition of information from the database

  • Prohibiting the saving of acquired information to media that is not permitted for use

• Penalties

  • Prescribe penalties in the company's employment policies and procedures

  • Set fines