My company has decided to add two people within our IT dept. to head a security department. Our duties will be to provide checks and balances between groups within the company and be an impartial "auditor" of security actions that arise (employess visiting bad sites, reading each others emails, violating confidentiality agreements). Another dutie that we will uphold is ensuring the security of our web clusters that take customers orders and hold customer information. Lastly we will uphold the responsibility of ensuring MS vulnerabilities are patched and assess new hotfixes and patches offered by MS. Our infrastructure currently consists of two DHCP controllers running win 2k server. We have just migrated to AD and are days away from phasing our exch. 5.5 and being 100% exch. 2000. We have a GNATBox Firewall made by GTA in front and behind our two Data T1's. We have also recently implimented MS ISA server (waiting to be impressed with ISA) that maintains internet security for all end users.
Currently we know that there are many cracks in our armor, and it will be our job to idenitfy those cracks and patch them up. We know that we also have an issue with Packets that contain customer information being easily picked up within the internal network.
I have read the FAQ's and they seem to best serve someone on an individual basis. The items that I am looking for advice on contrast greatly.
1. Is there anyone out there that knows of Guidelines for creating an InfoSec department within an IT dept. within a corporate company. These will obviously be custom policy guidelines, but a template that another company uses will get us off to a good start.
2. What are some nice tools out there to analyze protocol layers and packets. We need an app (preferably for purchase) that will allow us to capture packets. One thing that we will need in case we run into resistance in creating this group (Long Story. Battle of Director of IT to keep as many techs under him as possible to maintain his current income level) is actual packet data to show the upper management that there is a data security concern.

I am actually a Telecom Analyst with a degree in Computer Systems/Networking Technology. The other technician that will be heading this group with me is a Sr. Network Engineer. Some of these questions may seem elementary to many of you and some may not have enough age or experience in the corporate world to know the how delicate this chance is. Any help will be greatly appreciated.