Risk and Control Monitoring and Reporting Tutorial

4.1 Risk and Control Monitoring and Reporting

Hello and welcome to the Certified in Risk and Information Systems Control (CRISC®) Course offered by Simplilearn. The focus of this domain is that the CRISC candidate should monitor IT risk and report them to relevant stakeholders and to ensure that risk management in the company is aligned to the objectives of the organization. Let us look at the objectives of this domain in the next screen.

4.2 Objectives

After completing this domain, you will be able to: List key risk indicators Detail data collection efforts Explain monitoring controls Document control assessments Discuss IT risk profile Let’s now begin this domain by learning about task statements in the next screen.

4.3 Task Statements

As you have already learned in previous domains, task statements basically list down the tasks that an information security professional must do. Okay, now let’s begin with learning about task statements. The seven task statements prescribed by CRISC are: Define key risk indicators that can enable monitoring of risk Monitor key risk indicators to determine changes in the risk profile Report trends on risk profile to management to aid in decision making Identify performance indicators that measure changes in control performance Analyze performance indicators to determine the efficiency of controls Review the results of control assessments to determine the effectiveness of the control environment and Report performance on control environment to management to aid in decision making Let us look at knowledge statements in the next screen.

4.4 Knowledge Statements

Well, now that you know what task statements are, let’s learn about knowledge statements. Knowledge statements are those aspects of information security that a information security professional must have a thorough knowledge of. These statements help the security professional to perform the tasks required. Do you know what information a CRISC candidate must have about knowledge statements? Click each tab to know more.

4.5 Knowledge Check

This question will help you recall the concepts you learned.

4.6 Key Risk Indicators (KRIs)

Do you know what key risk indicators or KRI’s support? KRIs measure the level of risk based on a threshold. An enterprise can set alerts based on certain thresholds being breached. A few KRIs are listed here. Risk identification Risk appetite Risk mitigation Risk measurement and reporting and Risk culture Legal and regulatory compliance Click each key indicator to know more. Risk identification: Provides an objective means for identifying risk Risk appetite: Validates the organization’s risk appetite and risk tolerance levels Risk mitigation: Provides a trigger for investigating an event or providing corrective action Risk measurement and reporting: Provides objective and quantitative risk information Risk culture: Helps the organization focus on important relevant areas and Legal and regulatory compliance: Provides data that can be used as an input for operation risk capital calculations Let us now look at KRI selection in the next screen.

4.7 KRIs Selection

Other factors that can influence the selection of risk indicators include: Cover events before and after the risk as well as trending of events and Provide root cause of events Okay, so you have now learned about KRI and the criteria for selecting KRIs. Now, let’s see how to gauge the effectiveness of KRIs.

4.8 Benefits of KRIs

The selection of appropriate set of KRIs benefits the organization in ways such as: Providing an early warning signal Analysis of risk that have occurred Analyzing trends of risks Provision of an indication of the risk tolerance level of an organization Identifying areas where the organizations can improve and achieve its goals and Ensuring optimized risk governance

4.9 KRIs Effectiveness

KRIs can be effective, if certain considerations are taken into account. Click each consideration to know more. Impact: Indication of risk with high business impact Effort: Effort of how the risk indicators can be measured and maintained Reliability: Should be reliable by possessing a high correlation with the risk Sensitivity: Sensitive in the sense that it is representative of risk and capable of accurately indicating risk variances Repeatable: Be repeatable such that it can be measured on a regular basis and show trends and patterns We shall look at optimization of KRIs in the next screen.

4.10 KRIs Optimization

In order to optimize risk indicators, ensure that: The report is supported by correct data The threshold have been set correctly Risk indicators that do not alert management at the correct time should be adjusted through proper optimization of elements such as: Sensitivity Timing Frequency Corrective action Click each optimization element to know more. Sensitivity: Sensitivity in the case where there are numerous exceptions and a few exceptions can suffice. For example, when intrusion alerts have been set up on the network perimeter and management decides to only filter critical alerts based on a risk assessment. Timing: Timing where risk indicators are adjusted based on the right time. For example, when management decides that suspicious transactions are tracked before the audit of the period is carried out. Frequency: Frequency where the regularity of a control is optimized. For example, a review of customer balances exceeding certain limit that has always been alerting management on a weekly basis can be adjusted to run on a daily basis based on the analysis that such customers might not be traceable when a week has elapsed and lastly Corrective action: Corrective action, where action to remediate the gap is prioritized based on likelihood and impact of the event. Let us attempt a quick recall question in the next screen.

4.11 Knowledge Check

This question will help you recall the concepts you learned.

4.12 KRIs Maintenance

Once the KRIs are optimized, it is necessary to change them. KRIs should change frequently based on the changes in the organization's internal and external environment. The environment in which the organization operates in is usually highly dynamic and risk indicators should reflect this. KRIs should at all times align with risk tolerance and risk appetite levels in the organization. The trigger levels of KRIs should enable the stakeholders to take the appropriate and timely action. Let us look at data collection in the next screen.

4.13 Data Collection

Selecting and monitoring KRI’s can only be possible when one analyzes business information and data. A risk practitioner can get information from internal as well as external sources. Let’s understand which are the key sources from which a risk practitioner can get data. There are various internal sources of data that a risk practitioner can get information from. These are: Audit trails and logs Internal and external audit reports User feedback Observation Security event and incident monitoring Interviews Click each internal source to know more. Audit trails and logs: Audit trails and logs which should have sufficient information to identify the event as well the person who carried out the event Reports: Internal and external audit reports contain information about identified risks in the organization Feedback: User feedback can be very useful in pointing out risky areas in the organization Observation: Observation of the control environment in the organization Security event and incident monitoring: Security event and incident monitoring correlates information from multiple sources which can be used to identify violations and provides reports Interviews: Interviews with management and other stakeholders can provide the risk practitioner with information how the organization is operating.

4.14 Data Collection (contd.)

In addition to the sources mentioned earlier, there are a few external sources of data that a risk practitioner can get information from. These are: Security company advisory's Regulatory bodies Organized computer emergency and response teams Media reports Peer organizations Click each external source to know more. Security company advisory reports: Security company advisory reports that provide a status of the latest risks affecting companies. A good example is Verizon Data Breach Investigation Report. Regulatory bodies: Regulatory bodies such as those charged with licensing and regulating Information and Communications Technology or ICT companies would provide a pointer to the risks facing the industry. Response teams: Organized computer emergency and response teams, which are normally state-owned with private company participation. Media reports: Media reports which usually detail what companies are struggling with. Peer organizations: Peer organizations especially if the same industry would provide an indicator of the risks the organization can face. Now that you have learned about the sources of data collection, let us attempt a quick recall question in the next screen.

4.15 Knowledge Check

This question will help you recall the concepts you learned.

4.16 Monitoring Controls

Analyzing the data that you collected from various sources will help you to place adequate controls for monitoring risk. Do you want to know why monitoring controls are needed? Well, the main purposes of monitoring controls are to: Verify whether the control is effectively addressing the risk, and Collect, validate, and evaluate business, IT and process goals, and metrics Have you wondered how would you get the information for monitoring controls? The main sources of control monitoring information include: Continuous control monitoring Periodic testing Command and control centers Independent assessments and Network operations centers We shall continue looking at monitoring controls in the next screen.

4.17 Monitoring Controls (contd.)

You learned why having monitoring controls are important for risk management. Now, Control Objectives for Information and Related Technology or COBIT 5 provides a framework in which an organization can establish a monitoring approach. This approach involves: Engaging stakeholders to define objectives Scoping for a business solution that aligns IT risk and business risk Ensuring the business solution contributes to the enterprise objectives Integrating the monitoring approach to the corporate performance management system The controls established through risk management should align with IT security of the organization. Information systems control monitoring function would ensure that the standards and policies are being complied with and IT security requirements are being met. We shall continue looking at monitoring controls in the next screen.

4.18 Monitoring controls (contd.)

You learned how COBIT 5 framework plays a role in monitoring control. Let’s now learn about the steps involved in implementing monitoring controls. These steps are displayed. Click each step to know more. Step 1: Identifying the risk owners and other stakeholders. Step 2: Engaging with stakeholders on monitoring and reporting requirements. Step 3: Aligning information security monitoring and evaluation approaches with the enterprise approach. Step 4: Developing processes for monitoring information security. Step 5: Aligning with life cycle management and change control process in the company. Step 6: Ensuring resources are allocated to monitor information security. We shall look at sources of monitoring controls in the next screen.

4.19 Control Assessment

After implementing control monitoring, it is necessary assess its accuracy. To ensure that control monitoring is accurate, an organization should do the following: Control monitoring Accept and review security incidents Provide objective review Align audit Align the risk management program Click each action to know more. Control monitoring: Encourage the local ownership for risk and control monitoring. Accept and review security incidents: Risk culture in the organization should encourage local managers to accept and review security incidents. Objective review: Information systems audit can provide an independent and objective review of the effectiveness and appropriateness of the control environment. Align audit: The risk practitioner should align audit and risk management program and Provide support: Alignment of the risk management program with audit often provides supporting data to the IS auditors. Let us attempt a quick recall question in the next screen.  

4.20 Knowledge Check

This question will help you recall the concepts you learned.

4.21 Vulnerability Assessments

Vulnerability is a weakness in the design, implementation, operation, or internal controls in a process that could be exploited to violate system security. Vulnerability assessment includes comprehensive assessment of vulnerabilities in processes, technologies and facilities. The process of developing a strategy will offer opportunities to address many of these vulnerabilities by taking a prudent and proactive approach. Let's take a few examples of vulnerabilities here.   Examples of vulnerabilities include: Defective software Lack of compliance enforcement Poorly designed network Defective or uncontrolled processes Inadequate management Inadequate staff Inadequate knowledge to support users Untested technology Unprotected communication and Poor communication in the organization A common way to determine the extent of vulnerability is to conduct penetration testing. Let us look at penetration testing in the next screen.

4.22 Penetration Testing

During penetration testing, a penetration tester tries to exploit the vulnerability and if the penetration tester is able to break in, then the vulnerability is considered to be real and must be mitigated. However, if the tester is unable to break in, then there is a good chance that the vulnerability is not serious and does not require mitigation. Network penetration testing is also known as intrusion test or ethical hacking. Network penetration testing is also known as intrusion test or ethical hacking. Network penetration testing involves using techniques available to a hacker such as: Gathering and discovery of open source intelligence Attempting to guess passwords Searching for backdoors into systems and Exploiting known operating system vulnerabilities   Penetration testing is popular for testing firewalls and is performed by skilled and experienced professionals. This testing requires permission from top-level senior management, but may not inform IS security staff. We shall look at third party assurance in the next screen.

4.23 Third-party Assurance

Let’s now learn about the responsibilities of a third-party assurance. A third- party assurance earns customer and shareholder confidence especially when used to provide the validity of the information security program of the organization. Its responsibility is to evaluate the processes of the subject organization and validate the compliance with the requirements of the standard. We shall look at results of control assessments in the next screen.

4.24 Results of Control Assessments

After completing the risk assessments, the risk practitioner is expected to provide a report to the management on the status of the risk management program and the overall risk profile of the organization. For an effective control monitoring process, it should be dependent on the following aspects: Timeliness of reporting Skills of the data analyst Quality of monitoring data available and Quantity of data to be analyzed Let us look at the maturity model assessment and improvement techniques in the next screen.

4.25 Maturity Model Assessment and Improvement Techniques

Do you why continuous improvement of the risk management program is necessary? Continuous improvement of the risk management program: Enables the program to be better at preventing, detecting, and responding to security events and risk scenarios while the risk practitioner also develops skills, tools, and team necessary for better risk management The desired state of security may be defined as achieving a specific level in the Capability Maturity Model or CMM. The model consists of grading each defined area of security on a scale of 0 to 5, based on the organization’s maturity of the processes. Let’s learn about the levels in the capability maturity model in the next screen.

4.26 Capability Maturity Model

The Capability Maturity Model or CMM is used to develop and enhance an organization's risk management process. The capability maturity model has several levels that can be described as: Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Click each level to know more. Level 0: Is the nonexistent level in which the organization is not interested in security at all Level 1: Is the ad hoc level in which the organization considers risk on an irregular basis Level 2: Is repeatable but intuitive in which organization understands the importance of risk and need for security Level 3: Is the defined process in which organization implements risk management policy and or security awareness Level 4: Is the managed and measurable level in which organization implements risk assessment standard procedure, roles, and responsibilities to the individuals and Level 5: Is the optimized level in which the organization pro-actively implements, monitors, and manages the process Let us attempt a quick recall question in the next screen.

4.27 Knowledge Check

This question will help you recall the concepts you learned.

4.28 IT Risk Profile

There are several areas that should be continually monitored for an effective and efficient risk control.

4.29 Quiz

The quiz action will help you to check your understanding of the concepts covered.

4.30 Summary

Here is a quick recap of what we have learned: KRIs measure level of risk based on a threshold. Risk indicators should be optimized to ensure the report is supported by correct data and the risk indicators thresholds have been set correctly. The main purposes for monitoring controls is to: Verify whether the control is effectively addressing the risk Collect, validate, and evaluate, business, IT and process goals and metrics Vulnerability assessment includes comprehensive assessment of vulnerabilities in processes, technologies and facilities. An effective control monitoring process should be dependent on the: Timeliness of the reporting Skill of the data analyst Quality of monitoring data available and Quantity of data to be analyzed Risk practitioner has a key role in ensuring that management is aware of the current IT risk profile of the organization.

4.31 Conclusion

This concludes the domain on Risk and Control Monitoring and Reporting. You have come to the end of the course.

4.32 Thank you

Thank you and Happy Learning

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*