Agency's should understand their approach to security risk and how it reflects their security risk tolerance. Security assessments should reflect an Agency's risk tolerance, rather than the risk tolerance of individuals within the Agency or the consultants that support the Agency. Establishing this requires input and support from top management. Risk tolerance is established by reviewing Agency priorities, community expectations, political considerations and cultural norms.
1. Identify how to assess an agency's risk tolerance
2. Understand a risk based approach to Security
3. Discuss security risk tolerance