Which of the following is the FIRST step an organization's professional performs when defining a cyber-security program based upon industry standards?
A. Review the past security assessments
B. Define the organization's objectives regarding security and risk mitigation
C. Map the organization's current security practices to industry standards and frameworks
D. Select from a choice of security best practices