Guidelines and procedures that define and enforce an organization’s security objectives and practices.