The FIRST step to create an internal culture that focuses on information security is to:
A.
implement stronger controls.
B.
conduct periodic awareness training.
C.
actively monitor operations.
D.
gain the endorsement of executive management.
Explanation:
Endorsement of executive management in the form of policies provides direction and awareness.
The implementation of stronger controls may lead to circumvention. Awareness training is
important, but must be based on policies. Actively monitoring operations will not affect culture at all
levels.