How does a security policy differ from a security procedure?

A security policy serves as a high-level document that outlines the organization's overall protection strategy and objectives regarding data security, risk management, and compliance. It typically reflects the values and goals of the organization and provides the framework within which security practices must operate. The policy sets expectations for the security posture of the organization and establishes the rationale for implementing particular measures.

On the other hand, security procedures are detailed, specific steps that describe how to implement the directives laid out in the security policy. They provide the practical actions and guidelines that employees and departments must follow to adhere to the policy. Thus, defining the distinction between a security policy and procedures is crucial in ensuring that an organization can effectively manage its security resources and processes, making choice C an accurate representation of this relationship.

The other options do not accurately capture this distinction. For instance, while the enforceability of policies and procedures can vary from one organization to another, both policies and procedures typically align with mandatory compliance, making the assertion about mandatory versus optional inaccurate. Additionally, the reach of policies and procedures is more nuanced than applying universally to all employees or being limited to specific departments, as both can have organization-wide implications depending on the context.