The Risk Assessment evaluates and documents these
identified risks.
The various threats are measured and quantified to
determine the level of the risk and the amount of harm to the system and
its data that would occur if the threat were realized. This assessment
matches the threats to the system's vulnerabilities.
Next, the assessment of the risk is documented in
a Decision Support Package in accordance with existing regulations, policies,
and requirements for the organization.
The result of the Risk Decision is a recommendation,
either to approve the system with the existing level of residual risk,
or if the level of residual risk is too high, a recommendation not to
approve the system.
|