Which approach to a security program ensures people responsible for protecting the company's assets are DRIVING the program?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.
In contrast, a bottom-up approach refers to a situation in which staff members (usually IT ) try to develop a security program without getting proper management support and direction.
A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail.
A top-down approach makes sure the people actually responsible for protecting the companys assets (senior management) are driving the program.
The following are incorrect answers: The Delphi approach is incorrect as this is for a brainstorming technique.
The bottom-up approach is also incorrect as this approach would be if the IT department tried to develop a security program without proper support from upper management.
The technology approach is also incorrect as it does not fit into the category of best answer.
Reference(s) used for this question: Harris, Shon (2012-10-18)
CISSP All-in-One Exam Guide, 6th Edition (p.
63)
McGraw-Hill.
Kindle Edition.
The approach to a security program that ensures people responsible for protecting the company's assets are driving the program is the top-down approach (Option B).
The top-down approach to a security program involves management and executives setting the security goals, objectives, and policies for the organization, which are then communicated down to the various departments and individuals responsible for implementing the security measures. The approach ensures that the security program aligns with the organization's strategic objectives and business goals.
In the top-down approach, management and executives drive the security program by providing direction and oversight to the individuals and departments responsible for implementing and executing the security measures. The approach ensures that the security program is integrated into the overall business operations and that the security measures are aligned with the organization's risk management and compliance strategies.
The bottom-up approach (Option C) involves the individuals and departments responsible for implementing the security measures driving the security program, which is then communicated up to management and executives. This approach can lead to a lack of consistency and coordination in the security measures and may not align with the organization's strategic objectives.
The technology approach (Option D) focuses on implementing security measures through technology, such as firewalls, intrusion detection systems, and antivirus software. While technology is an essential aspect of a security program, it is not enough on its own and must be integrated into a broader security strategy.
The Delphi approach (Option A) involves a group of experts providing their opinions on a particular topic, which are then combined to reach a consensus. This approach is not specifically related to security programs and is not suitable for ensuring that people responsible for protecting the company's assets are driving the program.