ABSTRACT
The data gathering phase is perhaps the most labor-intensive phase of the security risk assessment process and covers all of the organization’s security controls within the boundaries of the project. The activities performed within the data gathering phase are dictated by the representation of security controls and the depth of evidence collected on these controls. Each of these elements of data gathering are discussed more in depth in this chapter. For each security control within scope of the security risk assessment, the assessment team must determine how many instances and which instances are sufficient to represent the control being examined. The data gathered on each security control will either be all instances of the control. Sampling can be an excellent technique for gathering representative security test data about a large number of network components. The advantages of selective sampling include the same advantages of representative sampling, namely, cost savings and a reduction in repetitive data.
