Implementing Information Security(top down and bottom up approach)

In today’s world where data is a very important asset there is an urge to protect it. Enterprises are and want to be more acutely aware about how they expose themselves to the surface world. Implementation of information security must begin in an organisation and it is not a simple process which happens in a specific time frame. In reality, securing information assets is a complicated process that requires coordination, time and patience.To protect data from threats we’d like to implement certain methods or rather approaches.

The two approaches that have been widely implemented are :

Top down Approach and Bottom Up Approach

Top Down Approach

This type of approach is known to be most successful and more likely to succeed in large organisations. As an inherent duty of the chief , controlling costs and devising a technique to maximise return represents a paramount objective.

The top down approach depends highly on the upper level of the staff. The senior employees are more experienced and have a vast amount of knowledge which can help the organisation to build the work culture and certain measures that can be followed all along the organisation which can lead to better information security and discipline among employees. Here the chief information officer (CIO) and/or the vice president of the information technology takes the major role and moves the project forward. They are responsible for laying down the policies and rules and assign different tasks to the staff members that specialise in solving a specific part of the problem. The major benefit of this type of approach is that the senior staff can accurately identify the priorities and the expected results out of the project. Identifying the priorities leads to better quality of security implementation as this helps to concentrate on important tasks and avoid wasting time on petty tasks which directly leads to better time management and delivery of tasks and jobs on time.

Top down approach’s levels of authority

Bottom Up Approach

Bottom Up Approach is what it exactly sounds like, it involves the system administrators and other junior staff of the organisation to use their experience and knowledge to implement information security. The idea behind this type of approach is that people working in the field of information security/systems to use their knowledge and skill in cyber security to ensure the planning of a highly secure information security model.

In bottom up approach, the operational staff initiates the process and then transmits the findings to the top levels.The main advantage in bottom up approach is the technical expertise of the individual administrators.They work on the information system daily and acquire in-depth knowledge which leads in the strengthening of the system. Another advantage can be that in level of the security relies on the expertise of the employee which can be helpful to tackle any vulnerabilities and thus strengthening the system. This approach while traditionally implemented, has its flaws. The lack of communication or cooperation with the senior managers and directives makes it less suitable for the strategies and requirements of the organisation.

Bottom Up approach’s levels of authority

Top Down Approach Vs Bottom Up Approach

Implementation of security is done in different ways in organisations. Traditionally, bottom up approach is adopted in many organisations where the cyber security engineers and system admins are implementing security measures and reporting the findings to the top-level senior employees. However this might lead to disruption, disconnect or lack of cooperation between the junior employees and senior employees due to which the certain threats, vulnerabilities can go unseen which might result the system to collapse.

While on the other hand top down approach is said to be more successful as the top-level management is involved in the implementation of the security. With their experience and valuable information they tend to better understand the gravity of the situation and prescribe certain policies and lay down systematic procedure that need to followed cyber engineers and other junior staff to meet a certain goal.