You are designing a security policy for a new startup. What should be your first step?

A. Conduct a risk assessment
B. Implement a firewall
C. Purchase antivirus software
D. Consult with legal advisors

Answer: A. Conduct a risk assessment
Explanation:

Security Policy Development Breakdown

• Conduct a Risk Assessment: This is the "Phase 0" of security. You must identify your Assets (what are we protecting?), Threats (who wants it?), and Vulnerabilities (how can they get it?). Without this, you might spend $100,000 protecting $10,000 worth of data, or worse—leave your most valuable IP completely exposed.

• Senior Management Approval: While not an option here, remember for the exam that once risks are identified, the policy must have the "buy-in" of senior management. Policy without management support is just a suggestion.

• The Policy Hierarchy: The Risk Assessment informs the High-Level Policy (the "Why"), which then leads to Standards (the "What"), and finally Procedures (the "How").

Why the other options are incorrect

• B. Implement a Firewall: This is a Technical Control. Implementing technology before a policy is established is known as "reactive security." You don't know what rules the firewall needs until you define what traffic is authorized.

• C. Purchase Antivirus Software: Like the firewall, this is a tactical tool. You cannot determine your software needs until you assess your endpoints and the level of risk they face.

• D. Consult with Legal Advisors: While critical for ensuring your policy meets regulatory requirements (like GDPR or CCPA), you need the results of a risk assessment first so you can provide the legal team with specific contexts to review.

The "CISSP Rule of Thumb": On the exam, if you see an option that involves Planning, Assessment, or Identifying Requirements, it is almost always the "first step" over any technical action.