You are a cybersecurity analyst who has been assigned the task of recommending controls that have been determined as deficient during a recent risk assessment. Your organization uses effective technical encryption methods on the network, but there is no direction that states which encryption method must be used and how it must be used. This written direction must be developed for compliance purposes. Which of the following control categories and written directions should be developed to dictate what the requirements are for use of encryption within the organization?