Explain how risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization’s information system.
Emphasize how risk management requires three major undertakings: risk identification, risk assessment, and risk control.
Define risk identification, which is the process of examining and documenting the security posture of an organization’s information technology and the risks it faces.
Define risk control, which is the application of controls that reduce the risks to an organization’s information systems.