What is the primary function of a security policy in an organization?

• A. To outline the guidelines and procedures for maintaining information security.
• B. To list all employees and their access rights.
• C. To enforce network hardware upgrades.
• D. To provide annual security training.

Answer: (A)

Security policy serves as the formal framework that communicates management’s approach to protecting information. It lays out the guidelines, rules, and procedures that govern how information security is implemented, who is responsible, what controls must be in place, and how risk is managed. This high-level document provides a baseline for all security activities, guides decision making, and supports compliance and enforcement across the organization. While tasks like maintaining hardware, listing access rights, or providing training are important controls or operational activities, they are examples of what the policy governs rather than its main purpose. Therefore, outlining guidelines and procedures for maintaining information security best captures the policy’s purpose.