The document discusses establishing security controls and procedures for information systems assets at a university. It describes identifying critical university assets, risks to those assets, and controls to mitigate risks. The document recommends a process for prioritizing assessing risks and costs/benefits of controls for each asset to make informed investment decisions.