An IS audit reveals that an organization is not proactively addressing known vulnerabilities.
Which of the following should the IS auditor recommend the organization do FIRST?
A . Verify the disaster recovery plan (DRP) has been tested.
B . Ensure the intrusion prevention system (IPS) is effective.
C . Confirm the incident response team understands the issue.
D . Assess the security risks to the business.
Answer: D