Which of the following should be the FIRST step when conducting an IT risk assessment?

A. Assess vulnerabilities
B. Identify assets to be protected
C. Evaluate controls in place
D. Identify potential threats