Conduct a Risk Assessment to identify the information system:
- Threat
- Vulnerability/Weakness
- Impact
Risk Assessment (RA) is conducted through:
- Examination-
- Review existing documents (policies, procedures, previous assessment, etc.…)
- Observation-Observe the implementation of controls
- Walkthrough-Take tour of a building to take note of security control implementation
- Interview-System owner, system administrators, developer etc.…..
- Testing- test existing control (Test fail login attempt)