- What am I trying to achieve?
- What is my threat model?
- What is the true, undecomposable value of that which I am protecting?
Once you have answered all of these, then:
- What should my policy say in order to express all the above?
- What technologies exist that will enable me to implement the above?