This document provides the critical steps needed to implement an enterprisewide security awareness effort; build concurrence among other departments; and provide baselines, maturity levels and control objectives. Information systems and networks can be affected by internal and external risks. Everyone must understand that security failures may significantly harm those systems and the information under their control, as well as interdependencies. Additionally, increased regulatory pressure, including the European Data Protection Directive, the US Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), requires organizations to implement formal security policies. Educating employees is certainly a frontline defense for adherence and proper implementation. The guidance provided includes: