Which must bear the primary responsibility for determining the level of protection needed for information
systems resources?

A.
IS security specialists

B.
Senior Management

C.
Senior security analysts

D.
systems Auditors

Explanation:
Computers and the information processed on them usually have a direct relationship with a company’s critical
missions and objectives. Because of this level of importance, senior management should make protectingthese items a high priority and provide the necessary support, funds, time, and resources to ensure that
systems, networks, and information are protected in the most logical and cost-effective manner possible.
For a company’s security plan to be successful, it must start at the top level and be useful and functional at
every single level within the organization. Senior management needs to define the scope of security and identify
and decide what must be protected and to what extent.
Incorrect Answers:
A: IS security specialists may be the ones who implement the security measures; however, they do not bear the
primary responsibility for determining the level of protection needed for information systems resources.
C: Senior security analysts may be the ones who determine how to implement the security measures; however,
they do not bear the primary responsibility for determining the level of protection needed for information
systems resources.
D: Systems Auditors ensure the appropriate security controls are in place. However, they do not bear the
primary responsibility for determining the level of protection needed for information systems resources.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 101