- Treat the data and analyses of this step with the utmost security.
- Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization’s country, or is known to surveil.
- Identify the possible impact of the vulnerability.
- Identify any threats to critical process' the vulnerability makes possible.
- Identify the process with the greatest impact if interrupted.
- Identify the possibility of exploitation.
- Identify the level of resources required to exploit the vulnerability.
- Compare the resources required against the capabilities identified in the risk modeling activities and the contextual research you completed.
- Position the vulnerability on the risk matrix in relation to its likelihood and its impact.
- Place impacts against a range of likelihood.
- Clean up critical process maps for use in reporting.
- Create a list of all services or assets that were identified during the activity that were not already known by the auditor.
Identify and rank vulnerabilities
Build a vulnerability/likelihood matrix
Create a risk matrix