The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level. This must become an integral part of the economic basis for

making business decisions.

You must identify, examine, and understand the

current information and systems in your organization. To

protect information assets, which were defined earlier in

this book as information and the systems that use, store,

and transmit information, you must know what those assets

are, where they are, how they add value to the organization,

and the vulnerabilities to which they are susceptible.

This means identifying, examining, and understanding

the threats facing the organization. You must determine

which threat aspects most directly affect the security of the

organization and its information assets, and then use this

information to create a list of threats, each one ranked

according to the importance of the information assets that

it threatens.

Each community of interest has a role to play in managing the

risks that an organization encounters. Because members of the

information security community best understand the threats

and attacks that introduce risk into the organization, they often

take a leadership role in addressing risk to information assets.

Management and users, when properly trained and kept aware

of the threats the organization faces, play a part in early

detection and response.

must also ensure that sufficient time,

money, personnel, and other resources are allocated to the

information security and information technology groups to

meet the organization’s security needs.

must work together to address all

levels of risk, which range from disasters that can devastate the

whole organization to the smallest employee mistakes.

A determination of the extent to which an organization’s information assets are exposed to risk.