In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (., hardware, software, system connectivity, and responsible division or support personnel) essential to defining the risk. Section describes the system-related information used to characterize an IT system and its operational environment. Section suggests the information-gathering techniques that.
