
111
© 2011 by Taylor & Francis Group, LLC
Chapter 5
Data Gathering
No matter what security risk assessment method or tool is used, the data-gath-
ering process is an essential step in the process. e scope of the data-gathering
phase depends on the results of (a) the project-denition phase to dene the system
boundaries, controls, and assets to be reviewed, and (b) the project-preparation
phase to ensure that the team’s time on-site data collection will be eective and
ecient. By the time the security risk assessment team begins the data-collection
process, the necessary denitions and preparations should have been completed.
SIDEBAR 5.1 Data Gatheri ...