Before conducting a formal risk assessment of an organization’s information resources, an information security
manager should FIRST:

A.
map the major threats to business objectives.

B.
review available sources of risk information.

C.
identify the value of the critical assets.

D.
determine the financial impact if threats materialize.

Explanation:

Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment.
Choices C and D are also components of the risk assessment process, which are performed subsequent to the threats-business mapping.