What might be a negative indicator of management commitment to information security?

Allowing exceptions to security rules for top management is a negative indicator of management commitment to information security because it undermines the integrity of the security policies established within an organization. When exceptions are made for certain individuals, it sends a message that security rules are not universally applicable, which can create a culture of disregard for established procedures. This can lead to increased vulnerabilities and risks, as it sets a precedent that some individuals are above the rules, potentially encouraging non-compliance among other employees.

In a well-functioning information security management system (ISMS), commitment from management is essential; it demonstrates accountability and the importance of security practices to everyone in the organization. When everyone, including management, adheres to the same security standards, it fosters a strong security culture and strengthens the overall security posture of the organization.