Which three questions must be answered before a security policy can be determined? (Choose three.)

A.
What am I protecting?

B.
What security tools are needed?

C.
What applications do I need to patch?

D.
Why am I protecting a specific system?

E.
Who am I protecting my enterprise from?