1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?
2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?
3. I am assuming that much of the risk will be transferred to the outsourcer?