Policies drive ________.

Policies establish what must be done and how it will be checked, so they drive both the implementation of security controls and the oversight of those controls. Implementation is the process of turning policy requirements into concrete safeguards—configuring encryption, access controls, monitoring, and other safeguards that actually protect systems. Oversight is the ongoing governance activity—audits, compliance checks, and reviews—that verifies those safeguards are in place and functioning as intended. For example, a policy mandating encryption at rest leads to implementing encryption on databases and backups, plus regular audits of encryption use and key management. Because policies shape both the deployment of safeguards and their continued supervision, they drive both implementation and oversight. The other options don’t fit as well because focusing on only one aspect would miss how policies govern security in both deployment and governance.