An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

A. Implement additional controls
B. Conduct a risk assessment
C. Update the risk register
D. Update the security strategy