...
Goals: Establish the strategy for assessing risk. Determine the criteria that will be used to evaluate the strategic importance of assets (often called "asset classification" - please see the Data Classification Toolkit for more comprehensive information on this topic), threats and vulnerabilities.
Note: Although nothing in this phase is generally repeated, it is possible at any time in the ongoing risk assessment process to either research or discover an additional useful criterion or specific question to be answered and add it to the set already in use.
Process 1: Establish Criteria that will be used to Classify and Rank Data Assets
...
Goals: Identify and prioritize the institution's critical assets. Identify key threats and vulnerabilities that could compromise the confidentiality, integrity and availability of these assets. Identify all protection in place to safeguard these assets and which vulnerabilities and threats they impact.
Note: It is important that all levels of the institution participate in this phase in order to derive an accurate perspective of the institution's security posture. Senior management provides the overall vision and feedback on the organization's "appetite" for risk. Technical staff is best suited to comment on the infrastructure and third party applications. Users provide valuable insight by characterizing their knowledge and awareness of appropriate behavior to protect the institution's assets.
Process 1: Strategic Perspective - Senior Management
...