Information security policies should be reviewed _____________________.
A . by the internal audit semiannually
B . by the CISO when new systems are brought online
C . by the Incident Response team after an audit
D . by stakeholders at least annually
Answer: D