An IS auditor reviewing the risk assessment process of an organization should FIRST: 
A、identify the reasonable threats to the information assets. 
B、analyze the technical and organizational vulnerabilities. 
C、identify and rank the information assets. 
D、evaluate the effect of a potential security breach.