An information security program should be established PRIMARILY on the basis of:

A. the approved information security strategy.
B. the approved risk management approach.
C. data security regulatory requirements.
D. senior management input.