IT departments are tasked with new projects and initiatives but are often unsure how to assess the risk with these. There are many frameworks out there, but companies often focus on informal discussions to assess the risk.
This phase will help you develop a methodology for conducting threat and risk assessments by first assessing risks given current mitigating controls in place, then reassessing those risks with proposed controls in place.
By following this process, you will be able to assess your risk on a per-project basis. After completing this once, you will have a repeatable process in which to conduct assessments for future projects.
Use this phase as part of the full blueprint, Combine Information Security Risk Management Components Into One Program.