Correct answer:

"Board of directors"

The organization’s board of directors is ultimately responsible for security

governance.

Correct answer:

"Data retention requirements"

An acceptable use policy (AUP) is likely to contain statements about the use

of corporate assets, personally owned assets, and information protection. Data

retention requirements are not likely to be included.

Correct answer:

"Management control of business functions"

Governance is best defined as management’s control over business functions

throughout an organization.

Correct answer:
"The cost of the fines is less than the cost of compliance."

While choosing to pay fines in lieu of compliance is uncommon, it is the best answer among the choices listed.

Correct answer:

"Database design"

The role of database design is generally shared between the DBA and software developers/architects or is owned entirely by software developers or architects.

Correct answer:
"Chief legal counsel"

Only legal counsel should be determining applicability of potentially relevant laws and regulations.

None of the other is an appropriate party to interpret regulations.

Correct answer is:

"Custodian"

IT is acting as a custodian in the access request process for the business application.

The business executive remains accountable for the operation. The business executive continues in the role of the system owner. IT is not the user.