Policy, Process, and Technology

The policy is what tells us the solution we want to achieve. After we have that goal, we can define the appropriate processes to achieve it, and only then can we create a technology solution to implement the processes.

The security policy is what tells you what threats you are facing, which ones you are willing to accept, and which ones you want to mitigate.

Adopted from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.