Exam IIA-CIA-Part3 topic 2 question 11 discussion

I believe it's C. Based on this ISACA article: https://www.isaca.org/resources/isaca-journal/issues/2018/volume-4/roles-of-three-lines-of-defense-for-information-security-and-governance. Although it doesn't specifically state it, it does say that the second line is in charge or evaluating the risk and compliance. Reviewing the disaster recovery results would be a step in the evaluation of the unit's risk and/or compliance with their disaster recovery plans. Also, I saw on another bank that is more accurate than examtopics that it was C as well.

In the context of the three lines of defense model for risk management, the second line of defense is responsible for overseeing and monitoring the effectiveness of risk management practices implemented by the first line. This includes developing and implementing risk management processes, policies, and procedures, as well as providing guidance and oversight to ensure that risks are managed appropriately. C. Review disaster recovery test results: The second line of defense is responsible for overseeing and monitoring the effectiveness of risk management practices, including reviewing the results of disaster recovery tests to ensure that recovery plans are effective and risks are managed appropriately. D. Provide independent assessment of IT security: This is typically the role of the third line of defense, which consists of internal auditors who provide independent assurance on the effectiveness of governance, risk management, and internal controls.

It appears to be "D". According to IIA GTAG - Assessing Cybersecurity Risk, The Three Lines Model: Second line roles, often comprised of IT risk management and IT compliance functions, are key to an organization’s security posture and program design. Second line roles are responsible for: Assessing the risks and exposures related to cybersecurity and determining whether they are in alignment with the organization’s risk appetite. Monitoring current and emerging risks and changes to laws and regulations. Collaborating with the first line functions to ensure appropriate control design.

It's C. D is performed by the 3rd line.

C is correct basedon cypersecrity gtag

I would think D would be done by 3rd line of defense (internal audit) - BUT, A, B, C all seem to be done by 1st line. So I'm torn. C seems like the most possibly right answer because it's not implementing things like A and B are, but I just don't know. Anyone else have insight on this?