When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?

A. Risk management
B. Change management
C. Access control management
D. Configuration management