Which is NOT a core component of a robust information security program?

Understanding what protects information on a day-to-day basis versus what helps an organization recover after a disruption is the focus here. Access controls, encryption, and auditing sit at the heart of information security because they directly prevent unauthorized access, protect data confidentiality and integrity, and provide visibility for detection and accountability. Disaster recovery planning, while essential for resilience, centers on restoring operations after an incident and ensuring continuity. It falls more into the realm of business continuity than into the continuous protection and monitoring of information security controls. So, disaster recovery planning is not a fundamental security control in the same sense as access controls, encryption, or auditing.