The Risk Management Control Policy defines the control objectives for identification, assessment, and management of information security risk within the GoA. Information security risk is managed through risk assessment, threat identification, vulnerability assessment, and documented processes for reporting and treating risk.