Introduce how to establish the context, which includes understanding the organization’s internal and external operating environments and other factors that could impact the RM process.
Identify the risk:
a. Create an inventory of information assets
b. Classify and organize assets meaningfully
c. Assign a value to teach information asset
d. Identify threats to the cataloged assets.
e. Pinpoint vulnerable assets by tying specific threats to specific assets.
Analyze the risk:
a. Determining the likelihood that vulnerable systems will be attacked.
b. Assessing the relative risk facing the organization’s information assets
c. Calculating the risks to which assets are exposed.
d. Looking at controls that might come into play for identified vulnerabilities and how to control those risks.
e. Documenting and reporting the findings of risk identification and assessment.
Evaluate the risk by comparing identified uncontrolled risks against the risk appetite.
Treat the unacceptable risk.
Discuss summarizing the findings and stating the conclusions of the investigation.
Explain how a risk management strategy calls on information security professionals to identify, classify, and prioritize their organizations’ information assets.