A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A . meet with stakeholders to decide how to comply.
B . analyze key risks in the compliance process.
C . assess whether existing controls meet the regulation.
D . update the existing security/privacy policy.
Answer: C
Explanation:
If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.