1) Define the scope of the analysis

2) Identify assets for review

• Who will be involved? Is good to have a team set up that includes business personnel, because an information security team usually does not know the business processes and will focus their efforts on specific threats and technology and then would not be able to justify the need for new security products. Whereas business personnel will know their processes and what data is important for them, but most likely have little knowledge of the technology supporting their processes. • What will they do? they should be able to establish that protecting data is the primary goal of Yummy Good Treats and that all of the people processes, hardware, software and other technology are tools used to do view/modify the data. • What are the expected outcomes? Once the assessment is understood and sensitive data elements are identified, it is time to bring teams together to link business processes that access the sensitive data and the technology used to support those processes and evaluate where risks are present. Once this is complete the teams can define and evaluate controls that are appropriate for the protection of the data. • What will be done based on the outcomes? Once the sensitive data elements and needed security controls are identified, the teams can define and evaluate new controls that are appropriate for the protection of the data. • Why is this step important in the risk assessment? I consider this step to be very important because it is the step where all the assets are identified so that they can be properly secured. 3) Evaluate the importance of the organization’s assets

4) Identify assets threats and vulnerabilities

• Who will be involved and what will they do? Accountants who take care of financial information, including market assessments and Yummy Good Treats own financial records; also, all database administrators that have access to customer information, including confidential information that Yummy Good Treats hold on behalf of customers. • What are the expected outcomes? A plan should be developed against: a. Physical loss of data. Yummy Good Treats may lose immediate access to data for reasons ranging from natural disasters, accidents and/or disk failure, b. Interception of data in transit. This risk can include, but is not limited to, data transmitted between company sites, between employees, partners located at home or other locations. c. Data integrity. Intended modification of data that could help a third party or unintentional corruption that might be due to a software error that overwrites valid data. • What will be done based on the outcomes? a. Relationships with vendors and partners should be defined, who these organizations are and what kind of data you might exchange with them; as well as the protocols they should follow to protect Yummy Good Treats’ data. b. Making sure that all virus protection are up to date and scanning email, Web content, and file transfers for malicious content. c. Establish authentication, authorization, and accountability procedures for issuing and revoking accounts • Why is this step important in the risk assessment? This important because other than identifying the important assets of Yummy Good Treats, it also establishes countermeasures to protect these assets by defining protocols on how all data should be managed. 5) Develop a risk profile for the assessed environment 6) Determine a risk reduction plan for the environment