Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
Assessing the problems and instituting rollback procedures as needed would be the best course of action.
Choices B and C would not identify where the problem was, and may in fact make the problem worse.
Choice D is part of the assessment.

To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROSD may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRD setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.

Explanation
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.

Explanation/Reference:
Explanation:
A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.