ABSTRACT
Risk management provides the information assurance
(IA) program the basis for establishing controls to protect
the organization’s key assets. The principal goal of a risk
management program is to define levels of protection for
the organization and maintain its ability to perform its
mission. It is a proactive process for identifying,
prioritizing, and managing risk to an acceptable level.
Risk management gives organizations a consistent, clear
path to organize and prioritize limited resources in order
to manage risk. A formal risk management process enables
enterprises to operate in the most cost-effective manner
with a known, acceptable level of business risk. Risk
management for information assurance must encompass
people, process, and technology. For this reason, risk man-
agement is a management function rather than a technical
