ABSTRACT
No matter what security risk assessment method or tool is used, the data-gathering process is an essential step in the process. e scope of the data-gathering phase depends on the results of (a) the project-de‹nition phase to de‹ne the system boundaries, controls, and assets to be reviewed, and (b) the project-preparation phase to ensure that the team’s time on-site data collection will be e¤ective and e¬cient. By the time the security risk assessment team begins the data-collection process, the necessary de‹nitions and preparations should have been completed.
