An organization’s board of directors has learned of recent legislation requiring organizations within
the industry to enact specific safeguards to protect confidential customer information. What actions
should the board take next?

A.
Direct information security on what they need to do

B.
Research solutions to determine the proper solutions

C.
Require management to report on compliance

D.
Nothing; information security does not report to the board

Explanation:

Information security governance is the responsibility of the board of directors and executive
management. In this instance, the appropriate action is to ensure that a plan is in place for
implementation of needed safeguards and to require updates on that implementation.