Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?
A . Define formal roles and responsibilities for Information Security
B . Define formal roles and responsibilities for Internal audit functions
C . create an executive security steering committee
D . Contract a third party to perform a security risk assessment
Answer: A