An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

A. organization’s risk function
B. service provider’s audit function
C. organization’s IT management
D. service provider’s IT security function