14.1. Introduction

As indicated in Chapter 1, an information security risk evaluation provides a snapshot, or baseline, of the organization's current risks. However, this baseline is not static or frozen in time. After an evaluation has been completed, an organization will implement its protection strategy and risk mitigation plans; new threats and vulnerabilities will emerge; and the organization will identify new critical assets. New risks will emerge and old risks may go away or change their nature.

To understand how its security risks change over time, an organization typically “resets” its baseline periodically by conducting another evaluation. The time between evaluations can be predetermined (e.g., yearly) or triggered by major events ...

Get Managing Information Security Risks: The OCTAVESM Approach now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.