identification of an organization's assets and potential risks, followed by the development, documentation, and implementation of policies and procedures for protecting these assets