Which of the following represents step $4$ of the seven step process defined by NIST SP $800-37$ Risk Management Framework for Information Systems and Organizations?

$1.$

Step $4$: Prepare for Risk Assessment $$ from organization and system perspective

$2.$

Step $4$: Select Security Controls $$ Security controls are the management, operational and technical safeguards or countermeasures employed within an information system that protect the confidentiality, integrity and availability of the system and its information.

$3.$

Step $4$: Categorize Information Systems $$ gain an understanding of the organization.

$4.$

Step $4$: Implement Security Controls $$ describe how the controls are employed within the information system and its environment of operation.