https://www.billbrown.info/tags/project-planning/Recent content in Project Planning on Bill Brown:Thoughts and Reference Material OnlineHugo -- gohugo.ioenBillBrown.infoSat, 06 Jun 2026 00:00:00 +0000https://www.billbrown.info/post/security-risk-assessment-planning-and-key-metrics/Sat, 06 Jun 2026 00:00:00 +0000https://www.billbrown.info/post/security-risk-assessment-planning-and-key-metrics/ <!-- SOURCE: ISSC661/forum2/forum_post_2.docx --> <h2 id="security-risk-assessment-planning-and-key-metrics">Security Risk Assessment: Planning and Key Metrics</h2> <p>The security assessment considerations as described by Landoll (2016), at a high level, includes six phases. The phases are the project definition, the project preparation, gathering the data, analyzing the risk, mitigation of risks and the recommendations or findings.</p> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-1012089347386563" crossorigin="anonymous"></script> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-1012089347386563" data-ad-slot="9168865232" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> <h2 id="considerations-required-to-describe-a-security-risk-assessment-project">Considerations Required to Describe a Security Risk Assessment Project</h2> <p>A project consists of begging and end, and in many cases, projects are used to achieve strategic organizational goals. A company may use projects to innovate, move into a new business market or use a project to drive down cost within the organization as described by Verzuh (2015). A security risk assessment is the same as managing any other project. Usually, a project sponsor and stakeholders have an interest or need in kicking off the project with a particular objective in mind. Once a project is created the preparation for the project will take place. The security assessment team is to be identified and proper authorization granted to the team to be able to perform the assessment when the project starts. Data gathering is a phase that is performed at the location of the security risk assessment and includes the value of the existing administrative, physical, and technical security controls as described by Landoll (2016). The types of data to be collected include administrative, technical and physical data. An example of administrative data is reviewing procedures, policies or training plans. Technical data gathering examples could include design, configuration, and architectural reviews. The physical review may take in account observations and inspections of applications or the physical location of the site. Risk analysis takes into account the asset valuation and maps it with known threats and vulnerabilities as Landoll (2016) points out. Once the analysis is completed the risk is calculated, and risk statements for assets are created. Once risk analysis is complete, as Landoll (2016) points out, the information derived from the risk analysis phase need to be prioritized and the risks mitigated. A safeguard plan needs to be laid out which maps threats and vulnerabilities to the safeguards to mitigate the risk of the accessed assets. The last step of the security risk assessment is the recommendations or findings from the security risk assessment and the resolutions. A report and presentation are presented to the stakeholders and project sponsor.</p>