Skip to Main Content
Risk management is a cornerstone component of a sound security governance program. The foundation of risk management is determining what needs protection, which is why establishing an asset inventory is fundamental. This chapter provides detailed guidance on constructing such an inventory and how to capture vulnerabilities, availability needs, and risk attributes for assets. The captured vulnerabilities, availability needs, and risk attribute information can then be used to establish the need for additional security controls, both procedural and technical. Also addressed at this point is the prioritizing of risks and the decision-making process as to which new controls should be deployed/implemented over time. The chapter then considers how new controls are acquired, that is, built in-house or purchased. Also discussed are procurement issues and finally consideration of new controls testing.