When an organization is implementing an information security governance program, its board of directors
should be responsible for:

A.
drafting information security policies.

B.
reviewing training and awareness programs.

C.
setting the strategic direction of the program.

D.
auditing for compliance.

Explanation:

A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company’s vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.