Final answer:
The first step in starting an information security program is to adopt a corporate information security policy statement. The correct option is c).
Step-by-step explanation:
Establishing an information security program begins with defining the overarching principles and goals through a corporate information security policy statement. This policy serves as a foundation, outlining the organization's commitment to safeguarding its information assets and establishing the framework for subsequent security measures. Before developing detailed standards or implementing specific controls, it's essential to have a clear policy that aligns with the organization's business objectives.
The policy statement provides a high-level strategic direction, guiding the development and implementation of detailed security standards and controls in subsequent steps. Without a comprehensive and well-defined policy, efforts to establish an effective information security program may lack direction and coherence. Therefore, the adoption of a corporate information security policy statement is the critical first step in building a robust and cohesive information security program.