Three things that must be considered for the planning and implementation of access control
mechanisms are:

A.
Threats, assets, and objectives.

B.
Threats, vulnerabilities, and risks.

C.
Vulnerabilities, secret keys, and exposures.

D.
Exposures, threats, and countermeasures.

Explanation:
The correct answer is “Threats, vulnerabilities, and risks”. Threats define the possible source of
security policy violations; vulnerabilities describe weaknesses in the system that might be exploited
by the threats; and the risk determines the probability of threats being realized. All three items must
be present to meaningfully apply access control. Therefore, the other answers are incorrect.