Identification should include
- defining risk management as the process of identifying possible vulnerabilities and quantifying potential risk as it pertains to manufacturing and associated IT systems
- addressing risk management strategies, including but not limited to
- risk mitigation—reducing the likelihood of the risk
- risk transfer—transferring the risk to another company, such as an insurance firm
- risk avoidance—avoiding the possibility of the risk (e.g., not using a specific software program would avoid any known risks of that program)
- risk acceptance—understanding and accepting the risks associated with the use of a system or feature.
Process/Skill Questions:
- How can periodic risk assessments identify physical security threats and vulnerabilities that may affect cybersecurity?
- Why do you need to identify published cybersecurity risk management standards, such as those issued by the NIST or the International Organization for Standardization (ISO)?
- What is the basic process for developing a security program?
- What are the benefits of developing and deploying a security program?