Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

Periodic risk assessments help identify risks to your company's systems and business processes. Risk assessments cover people, technology, information, and facilities. There are different types of risk assessments. These include qualitative and quantitative. Qualitative risk assessments are generally easier to conduct.

Assemble a team of IT personnel and business personnel to perform an organizational risk assessment. Create a list of threat sources (e.g., cyber attack) and threat events (denial of service against your web server). List your existing vulnerabilities associated with the threat event (e.g., a lack of inbound traffic filtering rules). Calculate the likelihood of the the threat event occurring. Calculate the impact the threat event would have if it occurred. Calculate the risk the threat event poses to your company. Determine the actions you can take to mitigate the identified risks. Document the above in a risk assessment report. Have a policy defining the frequency your company is to conduct risk assessments.