A new regulation for safeguarding information processed by a specific type of transaction has
come to the attention of an information security officer. The officer should FIRST:
A.
meet with stakeholders to decide how to comply.
B.
analyze key risks in the compliance process.
C.
assess whether existing controls meet the regulation.
D.
update the existing security/privacy policy.
Explanation:
If the organization is in compliance through existing controls, the need to perform other work
related to the regulation is not a priority. The other choices are appropriate and important;
however, they are actions that are subsequent and will depend on whether there is an existing
control gap.