CISSP-ISSEP · Question #50
Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.
The correct answer is C. Bottom-Up Approach D. Top-Down Approach. Bottom-Up (C) and Top-Down (D) are the two recognized approaches for building a security program. In the Top-Down approach, senior management initiates and drives the security program - policies and goals flow down from executives to technical staff, ensuring organizational buy-i
Question
Which of the following approaches can be used to build a security program? Each correct answer represents a complete solution. Choose all that apply.
Options
- ARight-Up Approach
- BLeft-Up Approach
- CBottom-Up Approach
- DTop-Down Approach
How the community answered
(31 responses)- A3% (1)
- B6% (2)
- C90% (28)
Explanation
Bottom-Up (C) and Top-Down (D) are the two recognized approaches for building a security program. In the Top-Down approach, senior management initiates and drives the security program - policies and goals flow down from executives to technical staff, ensuring organizational buy-in and adequate resources. In the Bottom-Up approach, technical staff (like IT or security teams) identify risks and build security controls from the ground up, often without formal executive sponsorship - less ideal but common in practice.
"Right-Up" (A) and "Left-Up" (B) are fabricated distractors with no meaning in security frameworks or standards (NIST, ISO 27001, CISSP domains, etc.). They exist solely to test whether you know the real terminology.
Memory tip: Think of a corporate org chart - security programs travel either down from the CEO/board (Top-Down) or up from the sysadmin/security analyst (Bottom-Up). If a direction doesn't map to vertical movement on that chart, it's a distractor.
Topics
Community Discussion
No community discussion yet for this question.