This is step one in organizing an enterprise security program. Can you please help me identify methodologies, forms, documents that would be useful in conducting such an analysis?
I would recommend taking a look at the OCTAVE methodology. This is a methodology established by the CERT Coordination Center that stands for Operationally Critical Threat, Asset and Vulnerability Evaluation. It is a framework/approach for performing your own information risk assessments. Check out http://www.cert.org/octave for more information.
There's also an excellent book that goes into even more detail on OCTAVE that you might benefit from titled "Managing Information Security Risks: The OCTAVE Approach" by Christopher J. Alberts and Audrey J. Dorofee.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in June 2004