classifying information according to organization’s classification scheme and establish the operating procedures for each level of classified information; (9) define information security requirements