A company Chief Information Officer (CIO) is unsure which set of standards should govern the company’s IT
policy. The CIO has hired consultants to develop use cases to test against various government and industry
security standards. The CIO is convinced that there is large overlap between the configuration checks and
security controls governing each set of standards. Which of the following selections represent the BEST option
for the CIO?
A.
Issue a RFQ for vendors to quote a complete vulnerability and risk management solution to the company.
B.
Issue a policy that requires only the most stringent security standards be implemented throughout the
company.
C.
Issue a policy specifying best practice security standards and a baseline to be implemented across the
company.
D.
Issue a RFI for vendors to determine which set of security standards is best for the company.