When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

A. security policies.
B. process maps.
C. risk tolerance level,
D. risk appetite.