Which of the following would be MOST helpful in determining an organization’s current capacity to mitigate risk?

A. Capability maturity model
B. Business impact analysis
C. IT security risk and exposure
D. Vulnerability assessment