The purpose of this Handbook is to describe information system security (ISS) risks, the measures available to mitigate these risks, and techniques for managing security risks.
Security can be defined as the state of being free from danger and not exposed to damage from accidents or attack, or it can be defined as the process for achieving that desirable state. The objective of information system security is to optimize the performance of an organization with respect to the risks to which it is exposed.
Risk is defined as the chance of injury, damage, or loss. Risk management in this sense is a three-part process:
Identification of material risks,
Selection and implementation of measures to mitigate the risks, and
Tracking and evaluating of risk losses experienced, in order to validate the first two parts of the process.