In the opening step, you considered the risk management implementation framework and the risk management technologies you might use. Now, it’s time to list the organization’s vulnerable assets.
In order to conduct effective information risk management, the vulnerabilities of the system must be understood and documented prior to starting the assessment, regardless of which of the risk assessment approaches is used.
Begin by conducting a thorough review of the recently completed Vulnerability and Threat Assessment report. During the review, pay particular attention to which security risks to information systems that might be relevant and consider varying types of risk assessment and analysis.
Using the Vulnerable Assets Template, identify and create a list of assets considered vulnerable. This is a simple list, not prioritized, not valued, simply identified, but complete. Pay particular attention to application software in both the acquisition and implementation phases. This list of vulnerable assets will also be used during the next step.