Which option represents a step that should be taken when a security policy is developed?

A.
Perform penetration testing.

B.
Determine device risk scores.

C.
Implement a security monitoring system.

D.
Perform quantitative risk analysis.

Explanation:
The security policy developed in your organization drives all the steps taken to secure network
resources. The development of a comprehensive security policy prepares you for the rest of your
security implementation. To create an effective security policy, it is necessary to do a risk analysis,
which will be used to maximize the effectiveness of the policy and procedures that will be put in
place. Also, it is essential that everyone be aware of the policy; otherwise, it is doomed to fail.
Two types of risk analysis are of interest in information security:
Reference: http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=2