A risk evaluation must be carried out to recognize vulnerabilities and threats, usage policies for significant systems have to be formulated and all staff security obligations has to be outlined The RSI security site breaks down the measures in a few detail, but the process in essence goes like this: https://www.dimeoutlet.com/nathan-labs-expands-cyber-security-services-in-saudi-arabia