The risk identification process have different core activities performed by organizations during the risk assessment process. The knowledge base is created to identify potential information security risks in the business and operations of the organization. The knowledge base is created through meetings and coordination with people in the organization. Such coordination and meeting may include interviews, discussions, and observations of the processes and activities.
Information and data owners and custodians are the people who possess the actual knowledge base of the customers, operations, and other business activities.
Knowledge is also gained through analyzing actual information security incidents that occurred and were reported within the organization. The operational loss database of the organization includes information security incidents and data breach incidents that occurred at different locations and departments, having financial and reputational risk impacts.
Such an information security loss database serves as the reference point to identify the trend of information security risks and related incidents. External sources, such as customer information in the form of complaints or inquiries, may also indicate the possibility of information security risks in a particular department or function. Regulatory authorities may also enquire about potential frauds, which also serve as the identification point for information security risks in a particular organization.
Industry study and trends analysis may also indicate information security risks and data frauds if the industry is growing in a particular area but the organization is struggling to grow. Senior management must analyze these trends to identify existing or potential information security risks inherent in the processes and departments.
Information security risks may also be identified by analyzing regulatory breaches and fines imposed by the regulators. Indicators of information security breaches also include pressure on senior management for employees to meet the targets, causing unauthorized information and data disclosures or misuse.
The intentions and reputation of the management are also considered to identify the data or information risks. Management includes the board of directors and senior management of the organization responsible for setting the direction and providing supervision to the management and employees. The history and reputation of the key executives are considered from the perspective of overriding internal controls and involving in fraudulent activities.
The possibility of occurrence through different data and information fraud schemes is also considered, such as data manipulation for fraudulent financial reporting, misappropriation of information assets, misuse of customers’ critical information, etc.
Identification Process is a set of activities aimed at systematically defining a company’s set of business processes and establishing clear criteria for prioritizing them. The process identification process produces a process architecture, which represents the business processes and their interrelationships. Identifying processes allows an organization to begin visualizing the range of activities from start to finish, assisting employees in determining what steps are required and who requires what along the way.