ABSTRACT
No matter what security risk assessment method or tool is used, the data-gathering process is an essential step in the process. The scope of the data-gathering phase depends on the results of the project definition phase to define the system boundaries, controls, and assets to be reviewed, and the project preparation phase to ensure that the team’s time on site collecting data will be effective and efficient. By the time the security risk assessment team begins the data-collection process, the necessary definitions and preparations have been completed.
