After obtaining commitment from senior management, which of the following should be completed
NEXT when establishing an information security program?
A.
Define security metrics
B.
Conduct a risk assessment
C.
Perform a gap analysis
D.
Procure security tools
Explanation:
When establishing an information security program, conducting a risk assessment is key to
identifying the needs of the organization and developing a security strategy. Defining security
metrics, performing a gap analysis and procuring security tools are all subsequent considerations.