Information security must be taken seriously and the measures that are needed to protect information should be in place and should be properly done.
Protecting information assets is an incremental process. It requires coordination, time, and patience to be effectively done.
A good approach to information security should be one that begins from the grassroots and follows to the top. An approach to information security that follows from the grassroots to the top is known as a bottom-up approach to information security. Here, the management or administrators of an organization are responsible for improving the security of their systems. This approach largely depends on the expertise of the administrators and management. The problem of this approach is that it does not have participant support and organizational staying power, thus making it not to be a reliable approach.
The top-down approach is another approach that is initiated by upper-level managers. They state the policies, procedures and processes to be used in the information security implementation. They also dictate the goals and expected outcomes of the implementation processes and determine accountability for each required action.
This approach is likely to be more successful than the bottom-up approach because of its strong upper-management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture. The success of this approach depends on a high level organization-wide support. Without this high-level support, many mid-level administrators often fail to make time for the project. For it to succeed there must be the involvement and support of the end users. These key end users should be assigned to a developmental team, known as the joint application development team (JAD).
There are different kinds of top-down approach, but the most successful kind of top-down approach involves a formal development strategy that is known as a systems development life cycle.