II.A Risk Identification
Management should develop and implement a process to identify risk.
Risk is the potential that events, expected or unanticipated, may adversely affect the institution's earnings, capital, or reputation. Risk is considered in terms of categories, one of which is operational risk. Operational risk is the risk of failure or loss resulting from inadequate or failed processes, people, or systems. Internal and external events can affect operational risk. Internal events include human errors, misconduct, and insider attacks. External events affecting IT and the institution's ability to meet its operating objectives include natural disasters, cyber attacks, changes in market conditions, new competitors, new technologies, litigation, and new laws or regulations. These events pose risks and opportunities, and the institution should factor them into the risk identification process.
To be effective, an information security program should have documented processes to identify threats and vulnerabilities continuously. Risk identification should produce groupings of threats, including significant cybersecurity threats. A taxonomyA taxonomy is a method for classifying items into ordered categories. Institutions use taxonomies to find relevant information from a large collection of data and to better detect or understand the patterns and trends. for categorizing threats, sources, and vulnerabilities can help support the risk identification process. Management should perform these risk identification activities to determine the institution's information security risk profile, including cybersecurity risk.
II Information Security Program Management