Risk and control monitoring and reporting Flashcards

1
Q

What are KRIs?

A

risk indicators are used to measure risk levels in comparison to defined risk thresholds, so that the organization receives an alert when a risk level approaches an unacceptable level.

they are highly relevant and possess a high probability of predicting or indicating important risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

how do KRI’s support management

A
  1. risk appetite: by validating the organizations risk appetite and tolerance levels
  2. risk identification: by providing an objective means for identifying risk
  3. risk mitigation: by providing a trigger for investigating an event or providing corrective action
  4. risk culture: by helping the organization focus on important, relevant areas
  5. risk measurement and reporting: by providing objective and quantitative risk information
  6. regulatory compliance: by providing data that can be used as an input for operation risk capital calculations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

list the considerations in KRI selection

A
  1. they should be linked to a specific risk
  2. they should be complete and accurate
  3. they should be easy to measure, compare and interpret
  4. they should provide results that are comparable over time
  5. they should be linked to goals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what makes an effective KRI

A
  1. specific: based on a clearly understood goal
  2. measurable:
  3. attainable
  4. relevant: directly related to a specific goal
  5. timely: grounded in a specific timeframe
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what factors influence KRI selection ?

A
  1. KRI should be balance and cover lag indicators, leading indicators and trends
  2. KRI should drill down to root causes of events, not just the symptoms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are some criteria for an effective KRI?

A
  1. impact:
  2. effort
  3. reliability
  4. sensitivity
  5. repeatable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how do you optimize a KRI?

A
  1. ensure that the correct data are being collected and reported on.
  2. ensure that KRI thresholds are set correctly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are KPIs?

A

they measure how well a process is performing in terms of its stated goal. it also indicates the capabilities, practices and skills of value to the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what makes an effective KPI?

A
  • provide value to the organization
  • tied to a business function of service
  • under the control of management
  • quantitatively measured
  • used repeatedly in different reporting periods/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

how can KPIs and KRIs be used together?

A
  • KPIs help to identify underperforming aspects of the organizations and areas of the business that may require additional resources and attention
  • KRIs provide early warnings of increased risk within the organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what are the benefits of logs?

A
  • analysis of log data can identify security violations and can be instrumental in forensics investigations.
  • log analysis can also alert the organization to malicious activities, such as a developing attack or multiple attempts to break in.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is an integrated test facility?

A

ITF is a testing methodology that processes test data through production systems to test whether the systems are operating correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what is the purpose of the IS control monitoring function?

A

ensure that IT security requirements are being met; standards are being followed; and staff is complying with policies, practices and procedures of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

list the steps of the IS control process

A
  1. identify and confirm risk control owners and stakeholders.
  2. engage with stakeholders and communicate the risk and information security requirements and objectives for monitoring and reporting
  3. align and continually maintain the information security monitoring and evaluation approach with the IT and enterprise approach
  4. establish the information security monitoring process and procedure
  5. agree on a life cycle management and change control process for information security monitoring and reporting
  6. request, prioritize and allocate resources for monitoring information security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

why are risk monitoring and evaluation processes performed?

A
  • to collect, validate and evaluate business, IT and process goals and metrics
  • to monitor processes to ensure that they are performing in line with established performance metrics
  • to provide reports that are systematic and timely
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what are the control assessment types?

A
  1. IS audit
  2. vulnerability assessment
  3. penetration testing
  4. third party assurance
17
Q

what is a vulnerability assessment?

A

methodical review of security to ensure that there are no predictable an unaddressed attack vectors that could be used to intentionally or unintentionally compromise an environment.

18
Q

what is penetration testing?

A

targeted attempt to break into an environment with a goal to validate a vulnerability assessment.

19
Q

name the two types of penetration testing

A

white hat or validation centric testing

black hat

20
Q

describe the risk profile

A

risk profile is based on the overall risk posture of the organization reflected in its attentiveness to monitoring the effectiveness of controls, proactivity in identifying and addressing or preventing risk and development of a risk culture

21
Q

What is a risk impact analysis?

A

a study to prioritize the critically of info resources for the enterprise based on costs or consequence of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. The assessment is used to justify the extent of safeguards that are required and recovery time frames. The analysis is the basis for establishing the recovery strategy.

22
Q

What is a critical factor in implementing a risk based approach to the SDLC?

A

adequate involvement of business representatives

23
Q

Which of the following is the MOST important consideration for an organization structuring a contract with a third party? The inclusion of a

A

confidentiality clause

24
Q

what is a capability assessment

A

A capability assessment helps determine the enterprise’s maturity in its risk management processes and the capacity and readiness of the entity to develop a risk management program. When the enterprise is more mature, more sophisticated responses can be implemented; when the enterprise is rather immature, some basic responses may be a better starting point.

25
Q

Where are key risk indicators MOST likely identified when initiating risk management across a range of projects?

A

Risk response

26
Q

Reliability of a key risk indicator would indicate that the metric:

A

flags exceptions every time they occur.

27
Q

Describe a difference between KCI, KRI,KBI and KPI

A
  • KCI : Key control indicators determine if internal controls are effective.
  • KRI: Key risk indicators can help to assess the impact to risk tolerance.
    -KBI: A key business indicator ensures business goals are being achieved.
    KPI: Key performance indicators ensure desired performance levels and metrics are achieved.
28
Q

The MOST important objective of regularly testing information system controls is to

A

identify design flaws, failures and redundancies.

29
Q

what is a control indicator

A

control indicators are used to determine the effectiveness of an organization’s controls designed to treat its risk

30
Q

what type of review will provide the MOST insight into an enterprise’s risk management capabilities?

A

A capability maturity model review