The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.

Explanation/Reference:
Explanation:
The business manager will be in the best position, based on the risk assessment and mitigation proposals.
to decide which controls should/could be implemented, in line with the business strategy and with budget.
Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations.
The information security officer (ISO) could make some decisions regarding implementation of controls.
However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions.

Explanation/Reference:
Explanation:
Honeypots attract hackers away from sensitive systems and files. Since honeypots are closely monitored, the intrusion is more likely to be detected before significant damage is inflicted. Security baselines will only provide assurance that each platform meets minimum criteria. Penetration testing is not as effective and can only be performed sporadically. Vendor default settings are not effective.

Explanation
Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party. A digital hash in itself helps in ensuring integrity of the contents, but not nonrepudiation. Symmetric encryption wouldn't help in nonrepudiation since the keys are always shared between parties. Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties.