The foundation of a risk-based approach to information security is a risk assessment. This theme can be found in regulatory requirements spanning financial services, healthcare, government and other industries who handle sensitive information. Risk assessments and supporting documentation are extremely important for maintaining full compliance with regulatory requirements. Annual risk assessments are also central to state regulations such as the New York DFS cybersecurity regulation 23 NYCRR 500. Organizations should perform annual risk assessments and create an information security program based on the assessment. Following this process provides a repeatable, measurable and defensible process for management to make risk-based information security decisions around the people, processes, and technologies that may compromise sensitive information and information systems.