This paper discusses how water and wastewater system owners go about conducting a security vulnerability assessment (SVA). Most proactive owners are using the Sandia National Laboratory's Risk Assessment Methodology for Water (RAM-W) to identify and protect critical infrastructure assets. The RAM-W helps an owner establish a foundation for risk management and security enhancement. The RAM-W includes a strategy for planning and prioritizing the protection of critical infrastructure assets. It provides a framework for making decisions about which are the most critical using a pair-wise comparison. Next, a design basis threat is created to identify and plan for potential threats to the utility. A detailed and well organized inventory of the critical assets associated with each facility is then generated using a fault tree analysis process. The critical assets are selected using qualitative analysis of potential impacts on an owner's ability to deliver the services required due to asset destruction or impairment. This paper is designed to familiarize the reader with the best practices and "lessons learned" that are available about what happens after the critical assets have been identified. This would include security and operational improvements that may be or have been implemented, as well as physical protection system improvements. The lessons learned and best practices produced for this paper are based on several SVA's conducted throughout the country using the RAM-W.