When choosing the best controls to mitigate risk to acceptable levels, the information security manager’s decision should be MAINLY driven by:

A. cost-benefit analysis
B. regulatory requirements
C. best practices
D. control framework