For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
In complex systems, such as information systems, policies can be decomposed into sub-policies to facilitate the allocation of security mechanisms to enforce sub-policies.
It is too easy to simply go directly to the sub-policies, which are essentially the rules of operation and dispense with the top level policy.
That gives the false sense that the rules of operation address some overall definition of security when they do not.
Because it is so difficult to think clearly with completeness about security, rules of operation stated as "sub-policies" with no "super-policy" usually turn out to be rambling rules that fail to enforce anything with completeness.