The goal is to find a middle ground where companies can responsibly manage the risk that comes with the types of technologies they choose to deploy. Building and managing a security program is an effort that most organizations grow into overtime. A mature security program will require the following policies and procedures: Acceptable Use Policy (AUP) Access Control Policy (ACP) and Change Management Policy. Incident Response (IR) Policy is an organized approach to how the company will manage an incident and remediate the impact to operations.”]