An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?
Select one:
ISACA often tests the principle that a risk assessment must precede any control implementation or po...