Identification should include
- defining risk management as the process of identifying possible vulnerabilities and quantifying potential risk as it pertains to systems
- addressing risk management strategies, including but not limited to
-
risk mitigation―reducing an organization’s exposure to the risk
-
risk transfer―transferring the risk to another company, such as an insurance firm
-
risk avoidance―avoiding the possibility of the risk (e.g., a retailer discontinues personal data collection of customers to avoid the risk that the data could be stolen)
-
risk acceptance―understanding and accepting the risks associated with use of a system or feature; this often happens when the cost of mitigation outstrips the potential loss associated with the risk.