I'm an online at UAT and the question I ask is in regards to InfoSec should there be someone ultimately responsible or should there be a committee of different areas to make up the final task?
Some of my customers are asking for copies of some of our security policies. I mentioned that the documents were confidential but they insist on providing evidence that the policies exist. Should I give them a copy? These customers all have NDAs with my company.