Best Indication of Information Security Integration into Corporate Governance

D.

The best indication that information security is integrated into corporate governance is when significant incidents are escalated to executive management. This is because executive management has the ultimate responsibility for the overall governance of the organization, and if they are made aware of significant information security incidents, they can take appropriate action to ensure that the incident is addressed and that appropriate controls are put in place to prevent future incidents.

Option A, which states that new vulnerabilities are reported directly to the security manager, is not a sufficient indication that information security is integrated into corporate governance because it does not necessarily mean that the security manager is reporting the vulnerabilities to executive management or that the vulnerabilities are being addressed at the executive level.

Option C, which states that security policy documents are reviewed periodically, is important for ensuring that policies are up-to-date, but it does not necessarily indicate that information security is integrated into corporate governance.

Option D, which states that administrative staff is trained on current information security topics, is important for ensuring that staff are aware of security best practices, but it does not necessarily indicate that information security is integrated into corporate governance.

In summary, the best indication that information security is integrated into corporate governance is when significant incidents are escalated to executive management, as this ensures that information security is being addressed at the highest levels of the organization.