Welcome » IT Booklets » Information Security » II Information Security Program Management » II.A Risk Identification
Management should develop and
implement a process to identify risk.
Risk is the potential that events, expected or unanticipated, may
adversely affect the institution's earnings, capital, or
reputation. Risk is considered in terms of categories, one of which
is operational risk. Operational risk is the risk of failure or
loss resulting from inadequate or failed processes, people, or
systems. Internal and external events can affect operational risk.
Internal events include human errors, misconduct, and insider
attacks. External events affecting IT and the institution's ability
to meet its operating objectives include natural disasters, cyber
attacks, changes in market conditions, new competitors, new
technologies, litigation, and new laws or regulations. These events
pose risks and opportunities, and the institution should factor
them into the risk identification process.
To be effective, an information security program should have
documented processes to identify threats and vulnerabilities
continuously. Risk identification should produce groupings of
threats, including significant cybersecurity threats. A
taxonomyA taxonomy is a method for
classifying items into ordered categories. Institutions use
taxonomies to find relevant information from a large collection of
data and to better detect or understand the patterns and
trends. for categorizing threats, sources, and
vulnerabilities can help support the risk identification process.
Management should perform these risk identification activities to
determine the institution's information security risk profile,
including cybersecurity risk.