I've often pointed out, here and elsewhere, that there is, as the writer of Ecclesiates says, "nothing new under the sun." Mr. Schwartz wrote about this last week (and it is timely and too few of us are doing it). And I wrote these words in February 1999 (almost 10 years ago).
Security policy planning entails starting with the mission needs. Identify the crown jewels through data classification. Classifications might include "dont care," sensitive, financial, competitive, legal, privacy-related, etc.Re-read my old article at Foundations of Enterprise Network Security.