For every security assessment conducted within an organization, there should be a list of action items to close any identified gaps. These action items should be transferred into a strategy for execution. Also within the organization, there should be an awareness plan which outlines all the activities for a year that will keep security in the forefront of the minds of all staff. The Information Security Program is a combination of the Security Strategy and Security Awareness Plan, in line with the mission and vision of the organization.