What’s Wrong With This Picture?
Policy -- “an informal, generally natural language description of desired system behavior.”
Requirement -- “A statement of the system behavior needed to enforce a given policy. Requirements are used to derive the technical specification of a system.”
Specification -- “A technical description of the desired behavior of a system, as derived from its requirements. A specification is used to develop and test the implementation of a system.”
Source: Longley, Shain & Caelli, Information Security. Stockton Press, New York, 1992.