A _____ is a formal set of guidelines outlining the expected level of information security a system should provide.

A policy is a formal set of guidelines that outlines the expected level of information security a system should provide. It serves as a foundational document that establishes the framework for security governance within an organization. By defining roles, responsibilities, and acceptable behaviors concerning information security, policies ensure that all stakeholders understand the expectations and standards related to data protection and system security compliance.

In many organizations, a security policy addresses aspects such as user access controls, data handling procedures, incident response protocols, and the management of security resources. This helps create a consistent approach to safeguarding sensitive information and aids in risk management.

The other options, while related, do not possess the same authoritative weight as a policy. A compendium typically refers to a concise compilation or summary of information rather than a governing document. A manual is usually a more detailed document that provides instructions for specific processes or procedures, rather than outlining security expectations. Guidelines are recommendations or best practices that can help inform policies but do not constitute formalized requirements themselves. Therefore, the defining nature of a policy makes it the correct answer in this context.