During the baseline phase, what is the expected outcome related to metrics and reporting?

• A. Establish business metrics and begin sending reports to business stakeholders
• B. Deploy a new security awareness program
• C. Disable non-critical alerts
• D. Archive baseline data annually

Answer: (A)

Setting up business metrics and starting reports to stakeholders is what the baseline phase delivers. At this stage you define what will be measured—such as incidents detected, data loss risk indicators, remediation times, and policy effectiveness—and you establish a reporting cadence so leadership can see the current state and understand the organization’s data protection posture. This creates a reference point for later comparison to track improvements as the DLP program matures. Activities like launching a security awareness program, tuning alerts by disabling non-critical ones, or archiving baseline data are important but belong to other phases or tasks—baselining concentrates on defining metrics and beginning to report on them.