Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:
A . map the major threats to business objectives.
B . review available sources of risk information.
C . identify the value of the critical assets.
D . determine the financial impact if threats materialize.
Answer: A
Explanation:
Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment. Choices C and D are also components of the risk assessment process, which are performed subsequent to the threats-business mapping.