Gaining Understanding of Organization's Information Security Strategy

D.

As a new information security manager, the FIRST course of action should be to gain an understanding of the organization's business strategy. This is because information security should be aligned with and support the business strategy to be effective. A clear understanding of the business strategy will help the security manager identify the key risks and threats facing the organization and ensure that security measures are implemented in a way that is consistent with the organization's goals and objectives.

Once the business strategy is understood, the security manager should review the organization's security architecture, risk register, and internal control framework to ensure that they are in alignment with the business strategy. The security architecture should be assessed to ensure that it is properly designed and implemented to protect the organization's assets and data. The risk register should be reviewed to identify the organization's key risks and determine whether existing controls are adequate to address those risks. Finally, the internal control framework should be assessed to ensure that it is effectively managing risks and protecting the organization's assets.

In summary, while reviewing and revising the information security strategy, the FIRST course of action for the information security manager should be to gain an understanding of the organization's business strategy to ensure that information security is aligned with and supports the organization's goals and objectives. Once the business strategy is understood, the security manager should review the security architecture, risk register, and internal control framework to ensure that they are in alignment with the business strategy.