Which process determines the level of risk and the resulting security requirements for each system?

The process that determines the level of risk and the resulting security requirements for each system is risk assessment. This process involves identifying potential threats and vulnerabilities to systems, assessing the likelihood and impact of these risks, and determining the necessary security measures to mitigate them. By performing a risk assessment, an organization can prioritize its security efforts based on the severity of identified risks, which helps in allocating resources effectively and ensuring that critical systems have appropriate protections in place.

Contingency planning focuses on preparing for potential incidents and ensuring that there are plans in place to maintain operations during and after a disruptive event, rather than assessing risk levels. Risk mitigation refers to the strategies and actions taken to reduce the impact or likelihood of risks but does not involve the initial analysis of risk. Residual risk is the remaining risk after controls and mitigations have been implemented and does not encompass the assessment of those risks in the first place.