After obtaining commitment from senior management, which of the following should be completed NEXT when
establishing an information security program?
A.
Define security metrics
B.
Conduct a risk assessment
C.
Perform a gap analysis
D.
Procure security tools
Explanation:
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.