Who Decides Security Measures for a Company?
Question
Who should DECIDE how a company should approach security and what security measures should be implemented?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
They are responsible for security of the organization and the protection of its assets.
The following answers are incorrect because : Data owner is incorrect as data owners should not decide as to what security measures should be applied.
Auditor is also incorrect as auditor cannot decide as to what security measures should be applied.
The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they should not be in a position of deciding what measures should be applied.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.
The responsibility of deciding how a company should approach security and what security measures should be implemented rests with senior management. This is because senior management is responsible for establishing the overall goals, objectives, and strategies of the organization. Security is an essential component of the overall strategy, and senior management must ensure that the organization's security policies and procedures are aligned with its strategic objectives.
While data owners may have input into security measures related to their data, they are not responsible for determining the overall approach to security. Similarly, auditors may review and provide recommendations on security controls, but they are not responsible for making decisions on security measures to be implemented.
The information security specialist plays a critical role in providing guidance, expertise, and technical knowledge to senior management in the development and implementation of security measures. However, the responsibility for decision-making ultimately lies with senior management, who must balance the organization's security needs with other business objectives, such as efficiency, profitability, and customer satisfaction.
In summary, the responsibility for deciding how a company should approach security and what security measures should be implemented rests with senior management, who must work closely with the information security specialist to ensure that security policies and procedures are aligned with the organization's overall strategy and goals.
