The Risk Assessment Process
Once a company has an IT security architecture in place, a risk assessment is needed to identify weaknesses and gaps in the deployment of controls and to identify more accurately what areas require the highest level of protection.
All companies have only a limited amount of funds, and those funds must be spent wisely. This means spending the funds in areas that need the most protection. The purpose of the risk assessment is to evaluate risks in terms of the likelihood and the magnitude of an impact, to determine a response strategy, and to monitor progress in reducing the threat. The risk assessment will also identify a baseline for their current level of information security. This baseline will form the foundation for how that organization needs to increase or enhance its current level of security based on the criticality or exposure to risk that is identified during the risk assessment. The following sections discuss each step of the process and provide an...