medium
Single Answer
0What should Ben do if he wants to assess the initial state of his information security awareness?
Answer Options
A
Implement security awareness based on a standard like ISO 27001.
B
Conduct a baseline analysis to determine his starting state.
C
Implement security awareness based on NIST standards.
D
Conduct a penetration test to determine how staff respond to security issues.
Correct Answer: B
Explanation
Establishing a baseline for security awareness is important so that Ben can determine what, if any, impact a program is having. This will drive KPIs as well as influence which actions and steps are taken to evolve the program. Implementing a security program is recommended by many standards, but they don’t determine initial awareness state. Penetration tests can provide information about where issues lie but don’t provide a broad baseline assessment either.