An information security manager at a global organization that is subject to regulation by multiple governmental
jurisdictions with differing requirements should:

A.
bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.

B.
establish baseline standards for all locations and add supplemental standards as required.

C.
bring all locations into conformity with a generally accepted set of industry best practices.

D.
establish a baseline standard incorporating those requirements that all jurisdictions have in common.

Explanation:

It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approach—forcing all locations to be in compliance with the regulations places an undue burden on those locations.