The MOST basic requirement for an information security governance program is to:

A.
be aligned with the corporate business strategy.

B.
be based on a sound risk management approach.

C.
provide adequate regulatory compliance.

D.
provide best practices for security- initiatives.

Explanation:

To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance.
Best practice is an operational concern and does not have a direct impact on a governance program.