I can only recommend you to have in place a security policy (issued by top mgmt) and a security plan (implemented – at best – by the IT officer jointly with the overall security responsible).
How to do it?
There are several frameworks on how to do it. BS7799 et.al. including ISO 17799 et.al. In addition you will find several frameworks from consulting firms (both general consulting and technical oriented consulting). Hard to say which is best, but to have one is key.
How did we do it?
1. Issue a security policy (general statements issued by the top mgmt/CEO, 2-3 pages; content: goals, scope, tasks/duties, responsibilities, security organisation)
PS1: Please clearly define whether you are dealing with information security (which is broader in scope) and/or information technology security.
2. Work out a security plan (operational guide/work-book/plan/handbook; yearly/periodically revised; issued by the IS/IT security officer/responsible; content: a) analysis of current state (systems, networks, applications, organisation etc), b) risk analysis (threat analysis), c) IS/IT security goals, d) implementation plan (measures, resources), e) audit/controlling and start over with a)
3. Compile, issue, communicate and audit guidelines where appropriate backed up with a list of operational measures depending on the threats you identified in 2b -> “what do i do if…” (areas most likely would be: mail and internet use, disaster recovery, physical security, loss of mobile devices, etc….)
That’s how we did it in my former job where I was CIO (company with 4000+ employees, 120+ locations all over Europe).
If you need any further assistance, please let me know. Maybe we can strike a deal…