Building your security policy starts with determining the device’s assets, identifying threats to those assets, and defining mitigations to those threats. Your policy has to factor in your risk tolerance as you determine which mitigations to implement.