Who should DECIDE how a company should approach security and what security measures should be
implemented?

A.
Senior management

B.
Data owner

C.
Auditor

D.
The information security specialist

Explanation:
Computers and the information processed on them usually have a direct relationship with a company’s critical
missions and objectives. Because of this level of importance, senior management should make protecting
these items a high priority and provide the necessary support, funds, time, and resources to ensure that
systems, networks, and information are protected in the most logical and cost-effective manner possible.
For a company’s security plan to be successful, it must start at the top level and be useful and functional at
every single level within the organization. Senior management needs to define the scope of security and identify
and decide what must be protected and to what extent.
Incorrect Answers:
B: The data owner can grant access to the data. However, the data owner should not decide how a company
should approach security and what security measures should be implemented.
C: Systems Auditors ensure the appropriate security controls are in place. However, they should not decide
how a company should approach security and what security measures should be implemented.
D: The information security specialist may be the ones who implement the security measures. However, they
should not decide how a company should approach security and what security measures should be
implemented.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 101