The first article in this series discussed the importance of becoming familiar with the types of threats to the agency’s data security. Once the threats to security have been identified, the next step is to begin the process of preventing them by writing a security policy. The first consideration for the policy construction is who should write the plan. It is advised that data security planning should begin at the grassroots level, with the officers who will be entering and manipulating the data under question. An example of what a security policy should cover is provided by the United States Park Police policy, which includes a physical security component, passwords, software and hardware restrictions, internet rules, e-mail rules, privacy expectations, and incorporates a mechanism for reporting security threats or breaches. One of the most important components of a good security plan involves layering the policy; meaning, personnel know only what they need to know to perform their job. A good policy should be flexible enough to change with the ever-changing technology and should be based on best practices and industry standards. Implementing the security policy involves both personnel training and asset management. Contingency planning and risk management must also be built into the security policy from the beginning so that if problems arise, there is already a solution in place. Finally, consistent and frequent review of the policy is necessary to maintain cutting-edge security in an ever-changing technological world. The article contains a textbox on low-cost options for data security.