How to structure an overall security risk assessment?
Posted on 2003-02-20
I was just asked to conduct an overall, not a detailed, IS security risk assessment. I'm looking for some references in risk asessment and reporting (not risk mitigation). This includes establishing risk and impact criteria / definitions (e.g., "High" means ...), a way to assess, prioritize and report risks, etc.
I've done detailed risk assessments and security analysis, so I'm comfortable with the detailed aspect. I'm more looking for advise on how to structure and frame the detailed results and high-level observations into a management framework My audience is CIO level at 10,000 employee firm.
I plan to look at the CERT and CISSP sites. Any other suggestions for places to pick up ideas?