Creation should include identifying
- the type of organization the system serves
- the existing components of the system
- data used and how it is used
- the individuals who have system access
- the users and the purpose of the system
- existing policies, standards, and procedures and how they might need to change
- the enforcement of policy
- monitoring procedures, network audit trails.