When assessing the risks that are present for an individual information system, you must consider a variety of elements.

This includes the enterprise, which is the owning or operating organization, and the environment, which is everything around a system that could affect it.

Information resides within the environment, enterprise, and the information system. The type of information and level of security required to safeguard that information is one key to determining the security posture for the information system.

There are many known threats to a system, which may include hackers, viruses, and power outages.

Also, there are known vulnerabilities of the system. These vulnerabilities may reside within the operating system or the external network connections or just within the building where the information system is housed. Vulnerabilities may include obvious passwords, unsecured work areas, or untrained users.

The first step in the risk management model is to identify these threats and vulnerabilities and their sources.