This document provides guidance for managing an information security program for those without an IT or security background. It outlines the basic necessities including getting management support, having written security policies and plans, conducting risk assessments, implementing controls like the Critical Security Controls, and performing regular maintenance and monitoring through a security framework. The overall message is that with the right fundamentals, priorities, and ongoing attention, an effective security program can be achieved and maintained over time without deep technical expertise.