Your company's IT department develops and finalizes a set of security solutions and policies which have been approved by upper management for deployment within the company. What is the first thing the IT department should have done during the development of the security solutions and policies?

A. Contact an independent SME to help them understand what policies and solutions they need.
B. Involve facilities management early to help plan for the new security hardware in the data center.
C. Discuss requirements with stakeholders from within the company.
D. Contact vendors to start the RFI and RFP process.

C
Explanation: The IT department should have discussed requirements with stakeholders from within the company first. The stakeholders should be chosen from across all departments in the company.
The IT department should not have contacted an independent SME until after the project requirements are determined.
The IT department should not involve facilities management until after the project requirements are determined.
The IT department should not contact vendors until after the project requirements are determined.