An organization has to comply with recently published industry regulatory
requirements—compliance that potentially has high implementation costs. What should the
information security manager do FIRST?
A.
Implement a security committee.
B.
Perform a gap analysis.
C.
Implement compensating controls.
D.
Demand immediate compliance.
Explanation:
Since they are regulatory requirements, a gap analysis would be the first step to determine the
level of compliance already in place. Implementing a security committee or compensating controls
would not be the first step. Demanding immediate compliance would not assess the situation.