An information security program should be sponsored by:
A.
infrastructure management.
B.
the corporate audit department.
C.
key business process owners.
D.
information security management.
Explanation:
The information security program should ideally be sponsored by business managers, as
represented by key business process owners. Infrastructure management is not sufficiently
independent and lacks the necessary knowledge regarding specific business requirements. A
corporate audit department is not in as good a position to fully understand how an information
security program needs to meet the needs of the business. Audit independence and objectivity will
be lost, impeding traditional audit functions. Information security implements and executes the
program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient
operational knowledge and lack of proper authority.