An organization without any formal information security program that has decided to implement
information security best practices should FIRST:
A.
invite an external consultant to create the security strategy.
B.
allocate budget based on best practices.
C.
benchmark similar organizations.
D.
define high-level business security requirements.
Explanation:
All four options are valid steps in the process of implementing information security best practices;
however, defining high-level business security requirements should precede the others because
the implementation should be based on those security requirements.