Which of the following should NOT the Board of Directors do to establish a supportive senior management climate for IS?

The choice indicating that the Board of Directors should wait to evaluate potential IS risks before implementing policies is correct because it emphasizes a reactive rather than a proactive approach to information security. In an effective governance structure, the Board should prioritize risk assessment as an integral part of the policymaking process rather than deferring it until after policies are in place. Establishing security policies without a clear understanding of existing risks can lead to vulnerabilities and inadequacies within the information security framework.

Proactive risk evaluations allow for informed decision-making about policies and controls that can directly address threats and weaknesses. This foresight fosters a culture of security awareness and preparedness. In contrast, waiting to assess risks could create gaps in security measures, ultimately undermining the organization’s ability to protect its information assets. Thus, to create a supportive climate surrounding information security at the senior management level, the Board needs to approach IS risks with ongoing and proactive evaluations, establishing a strong foundation for effective governance and security practices.