Why must senior management endorse a security policy?
A.
So that they will accept ownership for security within the organization.
B.
So that employees will follow the policy directives.
C.
So that external bodies will recognize the organizations commitment to security.
D.
So that they can be held legally accountable.
Explanation:
This really does not a reference as it should be known. Upper management is
legally accountable (up to 290 million fine). External organizations answer is not really to pertinent
(however it stated that other organizations will respect a BCP and disaster recover plan).
Employees need to be bound to the policy regardless of who signs it but it gives validity.
Ownership is the correct answer in this statement. However, here is a reference. “Fundamentally
important to any security program’s success us the senior management’s high-level statement of
commitment to the information security policy process and a senior management’s understanding
of how important security controls and protections are to the enterprise’s continuity. Senior
management must be aware of the importance of security implementation to preserve the
organization’s viability (and for their own ‘due care’ protection) and must publicly support that
process throughout the enterprise.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 13