Asking the Right Questions 71 staff. The key is to start broad and set reasonable goals or you will quickly get overwhelmed. You will want to include additional ownership and administration information in the profile, even though it doesn't directly affect the evaluation of the resource's sensitivity because it will help you to manage the assessment process. For example, be sure to also capture: · · · · Resource owner Business unit Resource custodian Environment and/or location These administrative details will help with the execution of your risk program and can also make reporting metrics easier. These may seem like simple details, but your job will be that much harder if you don't establish this information from the start. Although the risk profile doesn't need to be a list of every security con- trol related to that resource, you should also capture some general details about access methods, interfaces, and basic security controls like: · Support and hosting model