Assessing IT risks is BEST achieved by:
A、evaluating threats associated with existing IT assets and IT projects.
B、using the firm's past actual loss experience to determine current exposure.
C、reviewing published loss statistics from comparable organizations.
D、reviewing IT control weaknesses identified in audit reports.