Information security should be:
A . focused on eliminating all risks.
B . a balance between technical and business requirements.
C . driven by regulatory requirements.
D . defined by the board of directors.
Answer: B
Explanation:
Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.