Which of the following is the MOST appropriate board-level activity for information security governance? 

Answer options:

A. Establish security and continuity ownership
B. Develop what-if scenarios on incidents
C. Establish measures for security baselines
D. Include security in job-performance appraisals

A