Risk assessment is a process whereby the assets of a company are identified and assigned a value, probable threats to those assets are identified, and then countermeasures are selected to protect against those threats. Risk assessment process usually includes:
Determining assets at risk in order to proceed in some logical order, assets are first categorized into groups and are presented from the most expendable to the most valuable
Knowing what is considered a threat, the probability of that threat occurring, and what impact it will have on the asset. The process usually includes External and Internal Network Penetration Testing.
As the data collected is evaluated, top management will have to determine what acceptable risk is and how to deal with it in order to protect the asset and mitigate the risk
After the risk assessment process, a remediation report is generated. The report is being delivered to the IT manager to allocate the needed resource to execute the remediation steps
Monitoring of Controls: At this stage, Risk assessment moves from a process to an ongoing program. As controls are put into place, the task then becomes providing feedback on effectiveness.
If the control is not having the desired result, changes will have to be made. As new threats are identified or new assets are introduced, this new information will feed back into the loop so that it can be mitigated and appropriate adjustments made. Further, if there is a failure to adjust the value of assets as they depreciate or other economic trends affect the value of an asset, then the data becomes invalid.