Policies are mandatory, they are high level and non-specific. They are contain “Patches, updates,
strong encryption”, but they will not be specific to “OS, encryption type, vendor technology”. They
are approved and often written by senior management.