The configuration management plan should PRIMARILY be based upon input from:

A. business process owners.

B. the information security manager.

C. the security steering committee.

D. IT senior management.

Explanation:

Although business process owners, an information security manager and the security steering committee may provide input regarding a configuration management plan, its final approval is the primary responsibility of IT senior management.