Found this great article on SANS.  Super important to at least have an eye on you security on a regular basis.  The last thing you want is to be in court, whether for real, or the court of public opinion, after a breach, admitting you had no formal plan.  The article has a link to security policy resources at the bottom.

https://isc.sans.edu/diary/Your+Security+Policy+Is+So+Lame/19991