312-50V10 · Question #262
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?
The correct answer is B. A top-down approach. A top-down security approach is one where senior management initiates, sponsors, and enforces the security policy, giving it organizational authority and resources.
Question
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?
Options
- AA bottom-up approach
- BA top-down approach
- CA senior creation approach
- DAn IT assurance approach
How the community answered
(14 responses)- B93% (13)
- C7% (1)
Why each option
A top-down security approach is one where senior management initiates, sponsors, and enforces the security policy, giving it organizational authority and resources.
A bottom-up approach is the opposite model, where IT or technical staff try to establish security practices without formal senior management mandate or organizational authority.
In a top-down security approach, executive or senior management drives the creation and formal enforcement of security policies, supplying the budget, authority, and consequences necessary for organization-wide compliance. This is the preferred model because management commitment ensures policies carry weight across all departments, not just IT. It stands in direct contrast to a bottom-up approach, where technical staff attempt to enforce security without formal executive backing.
'Senior creation approach' is not a recognized term in any security program management framework or certification domain.
'IT assurance approach' is not a standard security governance term and does not describe a management-driven enforcement model.
Concept tested: Top-down security program management and policy enforcement
Source: https://csrc.nist.gov/publications/detail/sp/800-100/final
Topics
Community Discussion
No community discussion yet for this question.