312-50V11 · Question #262
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?
The correct answer is B. A top-down approach. A top-down security approach is defined by senior management initiating, supporting, and enforcing the organization's security policy from the highest level of authority.
Question
When creating a security program, which approach would be used if senior management is supporting and enforcing the security policy?
Options
- AA bottom-up approach
- BA top-down approach
- CA senior creation approach
- DAn IT assurance approach
How the community answered
(42 responses)- A5% (2)
- B86% (36)
- C7% (3)
- D2% (1)
Why each option
A top-down security approach is defined by senior management initiating, supporting, and enforcing the organization's security policy from the highest level of authority.
A bottom-up approach originates from IT or technical staff who identify security needs without formal senior management direction or mandate.
In a top-down approach, executive or senior management drives the security program by mandating policies and committing organizational resources, which gives security initiatives the authority needed for enforcement across all departments. This model contrasts with a bottom-up approach, where security originates from technical staff without formal executive sponsorship. Senior involvement is the defining characteristic that distinguishes a top-down governance model.
Senior creation approach is not a recognized or standardized term in security program governance frameworks.
IT assurance approach is not a standard methodology for describing how a security program is initiated or governed within an organization.
Concept tested: Top-down vs bottom-up security program governance
Source: https://csrc.nist.gov/publications/detail/sp/800-100/final
Topics
Community Discussion
No community discussion yet for this question.