• Identify the assets and prioritization of those assets. (Assets can be information, tools, servers, applications, personnel, etc.)
• Evaluate the threats, including impact and likelihood.
• Evaluate vulnerabilities.
• Identify risk (risk = threat x vulnerability).
• Explain the risk option(s) chosen for each risk. This may be avoid, transfer, accept, or reduce. Note: In most cases, reduce is the more acceptable choice; however, if you choose otherwise, be sure to explain your justification.
• Identify security controls implemented to reduce risk (this includes least privilege, SoD, passwords, etc.).

Scenario:

Company have one database administrator (DBA) and back up their ordering system to the cloud. They have two system administrators to work on the local servers. Because their manufacturing process is proprietary, that is kept locally in the California office on the servers there.