An effective security policy is a detrimental part of any organization’s sustainability, and can mean the difference between success and failure for the organization should a disaster occur. The main components of the security policy are the incidence response plan and the disaster recovery plan. Many organizations, however, do not know how to go about incorporating these plans into their policies and standards. The workshop discusses best practices in gathering requirements for the development of Incident Response Planning, paying particular attention to issues that are unique in an online learning system. An actual organization in need of these plans was selected and participated in this study. Issues to discuss include physical walkthroughs of facilities, obtaining knowledge of the procedures and policies already in place at organizations, methods of interviewing key people in the organization, analyzing the organization’s strengths and weaknesses as they relate to physical and logical security, and legal requirements that should be followed. With this information, the workshop will then demonstrate how to devise a comprehensive plan to assist an organization in meeting minimum-security standards through implementation of best practices as outlined by the National Institute of Science and Technology (NIST).