Which of the following is the BEST approach for an information security manager to effectively manage third-party risk? 

Answer options:

A. Ensure controls are implemented to address changes in risk.
B. Ensure senior management has approved the vendor relationship.
C. Ensure risk management efforts are commensurate with risk exposure.
D. Ensure vendor governance controls are in place.

D