Welcome to JustAnswer and thank you for utilising our services.
I am reviewing your question and will be posting back answers.
I think it will take me hours. However, I'll opt out while working on it to allow an opportunity for exerts who can do it quicker
Hello. "Best practices" run for pages and pages and, what's more, are so ultra-general that they range from somewhat applicable to utterly inapplicable to the situation at hand.
Please tell me a bit more about what you're trying to protect. One has difficulty believing that this homework was assigned entirely out of context. While policies can be general, mechanisms and practices are specific, tailored to the particular needs of the situation.
By the way, I am the co-author of three of the National Computer Security Center's "Rainbow Books" and personally responsible for ~35% of the DITSCAP standard, which gave rise to NIACAP. The tool I wrote for the Defense Information Systems Agency for automatically generating System Security Accreditation Agreements became a desktop standard with 12K installed copies: disturbing, since it was the first Java program I ever wrote.