They are responsible for security of the organization and the protection of its assets. The following answers are incorrect because : Data owner is incorrect as data owners should not decide as to what security measures should be applied. Auditor is also incorrect as auditor cannot decide as to what security measures should be applied. The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they should not be in a position of deciding what measures should be applied.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.