The information security plan should establish the information security program as the group responsible for the establishment of information security policy and clearly define who is responsible for following that policy.

Enforcement areas:

• People: Define the types of users that will be bound by information security policies (staff, contractors, students, and so on)
• Technology: Define the enterprise technology scope under the authority of the information security program