What is the first step the security manager should perform when considering issuing non-standard tablet computers to executive management?

The first step a security manager should perform when considering issuing non-standard tablet computers to executive management is to develop the use case for the devices and perform a risk analysis. This approach is essential because it lays the groundwork for understanding how the devices will be utilized, the information they will handle, and the potential threats associated with their use. By establishing the use cases, the security manager can identify specific security requirements and how the devices align with organizational policies and goals.

Conducting a risk analysis allows for a comprehensive evaluation of potential vulnerabilities, threats, and the impact of security incidents related to the devices. This process helps ensure that appropriate controls are implemented to mitigate risks before deployment, rather than reacting to issues after the devices are in use.

In contrast, installing the devices prior to assessing risks could lead to security gaps and exposure to threats that weren't identified beforehand. Conducting a survey of user preferences is also important but comes after understanding the broader context of how the devices will be used and the associated risks. Requesting budget approval is necessary but should be based on informed decisions stemming from the initial analysis rather than being the first action taken.