Explain the difference between a policy and a procedure in security operations.

Policies establish the overarching rules and standards for security operations, expressing what must be true and what outcomes are required. Procedures translate those rules into concrete steps, detailing who does what, in what order, and which tools or forms are used to carry out the rule. For example, a policy might require access to follow the principle of least privilege and be reviewed annually; the procedure would specify the exact workflow for requesting access, the approval chain, how provisioning or revocation is performed, and how records are kept. Other options blur the distinction by treating detailed steps as the policy or describing policy as merely behavior, but they miss the essential difference: policy = high-level rule; procedure = the exact methods to implement that rule.