In March of 1997, the National Research Council (NRC) of the National Academy of Sciences issued the report, "For the Record: Protecting Electronic Health Information." In its report, the Council recommended both technical and organizational practices to protect electronic health information. At the time the report was issued, Vanderbilt University Medical Center was deeply immersed in the development of organizational practices consistent with the Council's recommendations. We agreed that the recommended technical and organizational practices are important for protecting other information types in addition to health information, and that they suggest appropriate practices for non-electronic information, as well. In this paper, we focus on our process for developing and implementing the seven organizational practices recommended for immediate implementation.