The City is a fast-growing city located on the northern edge of a metropolitan area. Its rapid growth is accompanied by increased demands from residents, local businesses, and other private and public institutions. To provide sufficient services and meet the high demands of its constituents, the City has responded by increasing its output through the expansion of its administration, such as the creation of new departments, projects, and initiatives. As a result, the Enterprise Security Operations Department has been developed to ensure information used, stored, and processed by the City is protected against adversaries. However, as the Enterprise Security Operations Department is still in its infancy, there are currently no goals or strategies to guide its operations. This resulted in a lack of an information risk management process, poor security practices and culture, and failure to understand the organization’s true security posture. The purpose of this project is to establish a formal Information Security Program with well-defined goals, strategies, and future roadmap through the following objectives: 1) understand the current state of security for the City; 2) strengthen the information security operations; and 3) improve the risk management process. Accomplishing these objectives will contribute to creating a solid information security foundation that the City can apply and build upon as the program matures.