An organization needs to clearly identify its key business assets, such as the IT component that underpins core products and services or its financial or trading systems. These may not just be inside the organization, but may also include suppliers or partners. The relative risks to these key assets then need to be analyzed.
The first step in the management of computer security is to make a risk analysis. The objective of risk management is to define a master security plan and target the efforts and security investments to make.