Information security should be:

A.
focused on eliminating all risks.

B.
a balance between technical and business requirements.

C.
driven by regulatory requirements.

D.
defined by the board of directors.

Explanation:

Information security should ensure that business objectives are met given available technical
capabilities, resource constraints and compliance requirements. It is not practical or feasible to
eliminate all risks. Regulatory requirements must be considered, but are inputs to the business
considerations. The board of directors does not define information security, but provides direction

in support of the business goals and objectives.