I'm an online at UAT and the question I ask is in regards to InfoSec should there be someone ultimately responsible or should there be a committee of different areas to make up the final task?