9.3. Create Risk Evaluation Criteria
During this activity you define your organization's tolerance for risk by creating evaluation criteria. These criteria are measures against which you evaluate the types of impact you described during the previous activity. An organization must explicitly prioritize known risks, because it cannot mitigate all of them. Funding, staff, and schedule constraints limit how many and to what extent risks can be addressed. This activity provides decision makers with additional information that they can use when establishing mitigation priorities.
Step 1: Review Information
You need to review relevant background information to help you define evaluation criteria. Such information includes the following:
Strategic and/or ...
Get Managing Information Security Risks: The OCTAVESM Approach now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
