– Christian Malatesti, senior information security consultant with Enterprise Risk Management (www.emrisk.com), says:

Risk management is typically implemented in phases with measurable milestones at the end of each phase. The first step is to identify all the assets to be protected. Secondly, the assets need to be classified in respect to the confidentiality, integrity and availability principles, and the impact of each asset on the business should be measured if one of these principles is compromised.

Subsequently, the threats and the related risks affecting the assets need to be identified and evaluated. This step will provide IT Security managers with an understanding of which assets need to be protected the most.

Ultimately, a control analysis should be performed to identify the preventive, detective, and responsive controls the organization has in place or its deficiency to mitigate the risks associated to each threat.