A risk assessment is a process by which to determine what information resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.
Successful risk assessments require full support of senior management and must be conducted by teams that include both functional managers and information technology administrators. As business operations, workflow, or technologies change; periodic reviews must be conducted to analyze these changes, to account for new threats and vulnerabilities created by these changes, and to determine the effectiveness of existing controls. The risk assessment tool provided here may be used to identify assets as well as the risks to those assets, to estimate the likelihood of security failures, and to identify appropriate controls for protecting assets and resources. Management should evaluate the outcome of the risk assessment to prioritize solutions for potential problems, taking into account the severity of likely ramifications and the expense of implementing cost-effective and reasonable safeguards or controls.