all right. The last little piece of this section. The I T risk assessment report. So we've identified our risks, and we've assessed him. We've determined of value. Now, this information is going to help us analyze with the appropriate risk management strategies they're gonna be
Usually this is information that is separate from the risk register.
However, some of the information on your risk assessment report will go in the risk register and again, gap analysis where we are versus where we want to be. So ultimately, this is gonna be a document that we're gonna present the senior management.
Ah, that's going to indicate the areas that we consider ourselves to be still vulnerable,
meaning where we feel like we have residual risk. That's outside off the acceptable limits. Because if we do have more risk than we're willing to accept, then we need to act on it. Okay, so we're gonna make some recommendations. We see that maybe we need further mitigation in the event of
uh, internal malicious user. Right. And that's gonna be part of our recommendation. So we collect information, we present it. We also make recommendations, including prioritization,
and ultimately we're gonna go through and part of this record. Like I said, it's Ah, This report is a formalized document for senior management. So we'll go through and talk about what our purpose with risk assessment was. We'll talk about any techniques we used for risk assessment will talk about
the scope, Which means how large the assessment. Woz. What was it particular, too?
Any type of information, how our risk context impacted us, Um, the quality of the data like we've already talked about. So basically everything that we've done up to this point as a schism, we're now gonna collect that information, and we're gonna finalize it in a report.
And again, usually what we're looking to do here is to get management's backing
for the mitigation strategies that we want to put in place.
Ultimately, senior management, like we've said, has tthe e ownership of the risk, and that should be documented. Ultimately, the owner of the data, the owner of the system, they're the ones capable off approving an implementing mitigation,
and they're the ones who choose the mitigation strategy
that needs to be documented also right. We want that clear path of reporting, and it's important that ownership be high enough to an individual within the organization that can sign the checks and actually authorize the changes.
So that leads us to a wrap up of the assessment process. Remember, we've still got four identify, assess. So what's coming up next is gonna be risk mitigation where we take all this information that we've collected and we figure out how are we gonna bring residual risk
down to within an acceptable level?