What is the function of a security policy?

A security policy serves the critical function of formalizing information security practices within an organization. It establishes a comprehensive framework that outlines the organization's approach to protecting its information assets, including the definition of acceptable use, access control measures, incident response procedures, and compliance with relevant laws and regulations.

By codifying these practices, the security policy helps ensure that all employees understand their roles and responsibilities regarding information security. It fosters a culture of security awareness, guiding employees on how to handle data and respond to potential threats. Additionally, having a formalized security policy assists in risk management by clearly identifying security controls and best practices, which can ultimately lead to reduced vulnerabilities and enhanced protection of sensitive information.

The other options pertain to aspects of an organization that, while important, do not relate to the primary purpose of a security policy. For instance, guiding marketing strategies, monitoring employee attendance, and managing customer interactions represent operational and strategic functions outside the scope of information security. Thus, the most appropriate choice that reflects the role of a security policy is the formalization of information security practices.