Policies should specify the details of how protections are to be applied.

Policies set high-level directives about protections, not the exact steps to apply them. In practice, security governance distinguishes policy, standards, and procedures: the policy states goals, scope, and responsibilities; standards specify the required controls and their minimum criteria; procedures describe the concrete steps to implement, configure, and operate those controls. Keeping details out of policy lets the organization adapt to changing technologies and environments without rewriting the policy. For example, a policy might require encryption for sensitive data; a standard would define approved algorithms and key lengths, and a procedure would explain how to enable and manage encryption on systems. Therefore, the statement is false, and these details belong in standards and procedures rather than the policy. This approach isn’t limited to high-risk environments; most organizations apply it organization-wide.