Which of the following must be done first to accomplish an organization's security goals?

a. Risk Assessment
b. Policy Implementation
c. Security Training
d. Incident Response Planning