After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?
A. Define security metrics
B. Conduct a risk assessment
C. Perform a gap analysis
D. Procure security tools
Explanation:
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.