ABSTRACT
The security life cycle, depicted in Figure 3.1, shows how the security of an information asset is achieved. The security is initially planned in terms of the asset security policy, its scope, its security objectives, a limited preliminary impact analysis, and a limited risk assessment analysis. Once a plan is defined, the security of the information asset is analyzed to define its security requirements. The security requirements are established based on information about the levels of impact the asset has on the business mission of the organization and based on information generated by a thorough assessment of risks that is sufficient for understanding of real security needs of the asset. Security analysis often acquires information on current threats, current security controls, and asset vulnerabilities and their exposure.
