This document discusses establishing a framework for security and control of information systems. It covers topics such as information system controls, risk assessment, security policy, disaster recovery and business continuity planning, and the role of auditing. The framework is designed to protect information assets from internal and external threats.