Once a risk assessment has been completed and approved, it can be reviewed for the IT infrastructure. A risk assessment includes the following high-level steps:
- Identify and evaluate relevant threats.
- Identify and evaluate relevant vulnerabilities.
- Identify and evaluate countermeasures.
- Develop mitigating recommendations.
Next, management reviews the risk assessment. Management can approve, reject, or modify the recommendations. The management decisions are then documented and included in a plan of action and milestones document.
The following step is for the purpose of translating the risk assessment into an actual risk mitigation plan. Before jumping into this, the risk assessment ...