Security Assessments can also be considered as Security Threat and Risk Assessments. A Security Threat and Risk Assessment (STRA) must be conducted when developing, implementing major changes to, or acquiring an information system. The STRA is a component of overall Risk Management. The STRA pertains to information, whereas the Risk Assessment covers all aspects of a project including equipment, funding, resources, etc. Additionally, security assessments across the organization should be conducted regularly.
Assess your organization against a standard. Build/document and execute action items from the assessment.