The Three P's of Information Security: Planning, Process, and Practice