If you had to start over how would you do it?
The NIST (National Institute Science Technology) document is a good place to start
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
Publication 800-37
Guide for Applying the Risk Management Framework to Federal Information Systems
the document outlines how to set up a Risk Management Framework including partnerships with third party providers, outsourcing relationships, and supply chain considerations.
This is a framework that is to be used for federal agencies and any company that interacts with the federal government.
monitoring the environment continuously is an important aspect. As changes get implemented in the environment the changes must be tracked with security in mind. the Security controls must be updated.
Have you set up the roles for each labor resource?
Security control Assessor
Information System owner or Common control provider
Information System Security Officer
The monitoring of security controls within a company is important as we need to stay abreast of the security challenges ahead.