A new regulation for safeguarding information processed by a specific type of transaction has come to the
attention of an information security officer. The officer should FIRST:

A.
meet with stakeholders to decide how to comply.

B.
analyze key risks in the compliance process.

C.
assess whether existing controls meet the regulation.

D.
update the existing security/privacy policy.

Explanation:

If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.