Risk and control monitoring and reporting Flashcards
What are KRIs?
risk indicators are used to measure risk levels in comparison to defined risk thresholds, so that the organization receives an alert when a risk level approaches an unacceptable level.
they are highly relevant and possess a high probability of predicting or indicating important risks
how do KRI’s support management
- risk appetite: by validating the organizations risk appetite and tolerance levels
- risk identification: by providing an objective means for identifying risk
- risk mitigation: by providing a trigger for investigating an event or providing corrective action
- risk culture: by helping the organization focus on important, relevant areas
- risk measurement and reporting: by providing objective and quantitative risk information
- regulatory compliance: by providing data that can be used as an input for operation risk capital calculations.
list the considerations in KRI selection
- they should be linked to a specific risk
- they should be complete and accurate
- they should be easy to measure, compare and interpret
- they should provide results that are comparable over time
- they should be linked to goals
what makes an effective KRI
- specific: based on a clearly understood goal
- measurable:
- attainable
- relevant: directly related to a specific goal
- timely: grounded in a specific timeframe
what factors influence KRI selection ?
- KRI should be balance and cover lag indicators, leading indicators and trends
- KRI should drill down to root causes of events, not just the symptoms
what are some criteria for an effective KRI?
- impact:
- effort
- reliability
- sensitivity
- repeatable
how do you optimize a KRI?
- ensure that the correct data are being collected and reported on.
- ensure that KRI thresholds are set correctly
what are KPIs?
they measure how well a process is performing in terms of its stated goal. it also indicates the capabilities, practices and skills of value to the organization.
what makes an effective KPI?
- provide value to the organization
- tied to a business function of service
- under the control of management
- quantitatively measured
- used repeatedly in different reporting periods/
how can KPIs and KRIs be used together?
- KPIs help to identify underperforming aspects of the organizations and areas of the business that may require additional resources and attention
- KRIs provide early warnings of increased risk within the organization.
what are the benefits of logs?
- analysis of log data can identify security violations and can be instrumental in forensics investigations.
- log analysis can also alert the organization to malicious activities, such as a developing attack or multiple attempts to break in.
what is an integrated test facility?
ITF is a testing methodology that processes test data through production systems to test whether the systems are operating correctly.
what is the purpose of the IS control monitoring function?
ensure that IT security requirements are being met; standards are being followed; and staff is complying with policies, practices and procedures of the organization
list the steps of the IS control process
- identify and confirm risk control owners and stakeholders.
- engage with stakeholders and communicate the risk and information security requirements and objectives for monitoring and reporting
- align and continually maintain the information security monitoring and evaluation approach with the IT and enterprise approach
- establish the information security monitoring process and procedure
- agree on a life cycle management and change control process for information security monitoring and reporting
- request, prioritize and allocate resources for monitoring information security.
why are risk monitoring and evaluation processes performed?
- to collect, validate and evaluate business, IT and process goals and metrics
- to monitor processes to ensure that they are performing in line with established performance metrics
- to provide reports that are systematic and timely