This policy defines the requirements for developing an effective security plan, including the selection of security controls and enhancements for Ohio Department of Administrative Services (DAS)-managed information systems.