This phase is the organization evaluation phase where the team gathers the organization information assets knowledge that is the information regarding the information-assets of organization. The staff members cooperate with team members to identify the key information related assets. This helps the team to prioritize the assets according to its importance in the organization. Also in this phase, team identifies the threats to those assets and security requirements for them. The team also checks the security practices including the weakness in policies of the organization.
This phase is for the evaluation of information infrastructure. In this phase, analysis team examines the infrastructure, key system, components and identifies their weakness that can lead to unauthorized actions. In terms of technology, it highlights the technology vulnerabilities that are present in networks services, architecture, operating system and application . The result of this phase is important since it show the state of the infrastructure as well as its technological vulnerability.
This is risk analysis and mitigation phase. In this phase team precedes the risk analysis by gathering the data to measure the risks to critical assets, defines the risk evaluation criteria and evaluates the risks against the evaluation criteria. In risk mitigation process, team develops protection strategy and plans to protect the organization information related assets and organizational improvement.