To remain competitive, and to achieve our goals, we must refine our approaches to strategic planning and incorporate them into management activities. One important refinement of strategic planning involves the preparation and maintenance of an information security plan to help resolve a serious problem (exemplified by the “tragedy of the commons”) found in data communications and multi-user computer environments. This article addresses the factors compelling us to be more serious about planning such as the increasing amplitude and frequency of technological change. It discusses ways of using a plan to create an appropriate information systems security environment. These include using a plan to generate a sense of urgency about information security, and using a plan as the foundation for engineering a conversation with management about appropriate security measures. The article considers the specific problems encountered when information security planning is inadequate and proposes that a target secure computing environment be defined as the starting point of an information security plan. Ways of incorporating flexibility into a security plan are also described. 25 specific examples of data communications controls are provided to assist readers in developing control measures suitable for inclusion in their own information security plans.