Which of the following does NOT demonstrate management's commitment to information security?

Exempting senior staff from security rules does not demonstrate management's commitment to information security because it creates an inconsistency in policy enforcement. A key principle of effective information security management is that security policies apply uniformly across the organization, regardless of a person's position. This equitable application helps to foster a culture of security awareness and accountability.

When senior staff are exempt from these rules, it sends a message that security practices are not as critical for them, which can undermine the organization's security posture. In contrast, regularly communicating about security updates, encouraging feedback on the Information Security Management System (ISMS), and providing ongoing security training are all actions that reinforce a commitment to information security. These practices show that management values security, engages with employees about it, and prioritizes ongoing education to protect the organization’s information assets.