An IS auditor reviewing the risk assessment process of an organization should FIRST:
A、identify the reasonable threats to the information assets.
B、analyze the technical and organizational vulnerabilities.
C、identify and rank the information assets.
D、evaluate the effect of a potential security breach.