Which of the following security activities should be implemented in the change management process to identify key vulnerabilities introduced by changes?

A. Business impact analysis (BIA)
B. Penetration testing
C. Audit and review
D. Threat analysis