When an organization is implementing an information security governance program, its board of
directors should be responsible for:

A.
drafting information security policies.

B.
reviewing training and awareness programs.

C.
setting the strategic direction of the program.

D.
auditing for compliance.

Explanation:

A board of directors should establish the strategic direction of the program to ensure that it is in
sync with the company’s vision and business goals. The board must incorporate the governance
program into the overall corporate business strategy. Drafting information security policies is best
fulfilled by someone such as a security manager with the expertise to bring balance, scope and

focus to the policies. Reviewing training and awareness programs may best be handled by
security management and training staff to ensure that the training is on point and follows best
practices. Auditing for compliance is best left to the internal and external auditors to provide an
objective review of the program and how it meets regulatory and statutory compliance.