When performing an information risk analysis, an information security manager should FIRST:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Assets must be inventoried before any of the other choices can be performed.
When performing an information risk analysis, the first step an information security manager should take is to take an asset inventory. This involves identifying and listing all assets (physical, virtual, and intangible) that an organization uses, stores, processes, or transmits.
Taking an asset inventory helps in determining what assets are critical, what threats and vulnerabilities affect them, and what controls can be put in place to protect them. It also helps in identifying the interdependencies between assets and the potential impact of an attack or breach.
Once an asset inventory has been established, the next step is to categorize the assets. This involves grouping similar assets together based on their characteristics, such as value, sensitivity, or criticality. The categories can then be used to prioritize risk assessments and allocate resources effectively.
After categorizing the assets, the next step is to evaluate the risks to the assets. This involves identifying threats and vulnerabilities that could impact the assets and assessing the likelihood and potential impact of those risks. This information can then be used to develop a risk management plan that includes controls to mitigate or manage the risks.
Finally, once the risks have been evaluated, the ownership of assets can be established. This involves identifying who is responsible for the assets, who has access to them, and who is accountable for their security.
In summary, the correct order of steps when performing an information risk analysis is:
Therefore, option C is the correct answer to the question.