An information security manager has been asked to create a strategy to protect the organization`s information from a variety of threat vectors. Which of the following should be done FIRST? 

Answer options:

A. Perform a threat modeling exercise
B. Develop a risk profile
C. Design risk management processes
D. Select a governance framework

B