Each company requires installing a risk and control framework covering the key processes and procedures employed to identify, assess, monitor, manage, and report the short and long-term risks the company faces or may face and adequately capture the company’s risk profile. One of the ways of risk identification is by having an Incident Management & Reporting process in place.
Incident management is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.
Incident management focuses on providing continuity of service by removing or reducing the adverse effect of disruptions to information services.
An incident is an event that could be a risk to the loss of, or disruption to, an organization’s operation, services, or functions.
The nature of the incident could be;
- Cyber Attacks,
- Theft of information,
- Office accidents,
- Infections,
Based on the priority of the incident,
- Negligible: causing no perceptible damage
- Minor: producing no negative financial or material impact,
- Major: negative material impact on processes, possible effects on systems, organization, or 3. parties.
- Crisis: resulting in a crucial material impact on enterprise and stakeholders
Sources of Incident:
- Malicious code attacks,
- Unauthorized access to information source,
- Unauthorized services or physical threats,
- Unauthorized changes to infrastructure or information,
- DoS&DDoS attacks,
- Surveillance and espionage,
- Hoaxes/social engineering
In scope are all operational incidents impacting the business processes due to a failure or external events that (may) lead to direct, indirect, or reputational losses. That is why we have to define The risk categories in scope that are aligned with the Risk Management process.
- Control and Processing Risk
- Unauthorized Activity Risk
- Employment Practice Risk
- Personal & Physical Security & Continuity Risk
- Information (Technology) Risk
- Compliance Risk
- Fraud Risk