An enterprise has a zero-tolerance policy regarding security. This policy is causing a large number of email attachments to be blocked and is a disruption to the enterprise. Which of the following should be the FIRST governance step to address this email issue? 

Answer options:

A. Obtain senior management input based on identified risk.
B. Direct the development of an email usage policy.
C. Recommend business sign-off on the zero-tolerance policy.
D. Introduce an exception process.

B