The purpose of the risk analysis is to identify internal control and security vulnerabilities of an SDLC, determine the nature and magnitude of associated threats to data and assets, determine the resulting potential for loss, and provide managers, designers, systems security specialists and testers with recommended safeguards.
These would be included during the design, development and installation/operation phases of a new and/or modified SDLC to reduce the potential loss.
It should be reviewed and revised, as necessary, during each phase of the SDLC to assure that appropriate security measures are installed.
The review teams should use the findings and recommendations of the Risk Analysis during the SDLC security and certification reviews. It should be prepared and maintained as a separate document, and should be reviewed and updated as necessary, when a modification is made to the operational system