A successful IT security program consists of the following:1. Developing IT security policy that reflects business needs tempered by known risks.2. Informing users of their IT security responsibilities, as documented in agency secu- rity policy and procedures.3. Establishing processes for monitoring and reviewing the program.