___________ is an aggregate of directives, rules, and practices that prescribe how an organization manages, protects, and distributes information.

The main concept is governance of information handling through formal directives, rules, and practices. An information security policy is the umbrella document that sets the organization's approach to how information is managed, protected, and shared. It establishes security objectives, assigns roles and responsibilities, and defines acceptable use, data classification, access controls, and handling procedures. Because it provides the overarching rules that shape all security activities, it guides the creation and operation of all other plans and controls. Incident response plans focus on actions after a security event, outlining how to detect, respond, recover, and communicate during incidents. The risk management framework is the process used to identify, assess, and treat risks, often guiding which controls to implement. The business continuity plan concentrates on maintaining or restoring critical operations during and after disruptions. Each of these serves a specialized purpose within the broader policy framework.