Risk and control monitoring and reporting

Question 1

What are KRIs?

Answer 1

risk indicators are used to measure risk levels in comparison to defined risk thresholds, so that the organization receives an alert when a risk level approaches an unacceptable level.

they are highly relevant and possess a high probability of predicting or indicating important risks

Question 2

how do KRI’s support management

Answer 2

1. risk appetite: by validating the organizations risk appetite and tolerance levels
2. risk identification: by providing an objective means for identifying risk
3. risk mitigation: by providing a trigger for investigating an event or providing corrective action
4. risk culture: by helping the organization focus on important, relevant areas
5. risk measurement and reporting: by providing objective and quantitative risk information
6. regulatory compliance: by providing data that can be used as an input for operation risk capital calculations.

Question 3

list the considerations in KRI selection

Answer 3

1. they should be linked to a specific risk
2. they should be complete and accurate
3. they should be easy to measure, compare and interpret
4. they should provide results that are comparable over time
5. they should be linked to goals

Question 4

what makes an effective KRI

Answer 4

1. specific: based on a clearly understood goal
2. measurable:
3. attainable
4. relevant: directly related to a specific goal
5. timely: grounded in a specific timeframe

Question 5

what factors influence KRI selection ?

Answer 5

1. KRI should be balance and cover lag indicators, leading indicators and trends
2. KRI should drill down to root causes of events, not just the symptoms

Question 6

what are some criteria for an effective KRI?

Answer 6

1. impact:
2. effort
3. reliability
4. sensitivity
5. repeatable

Question 7

how do you optimize a KRI?

Answer 7

1. ensure that the correct data are being collected and reported on.
2. ensure that KRI thresholds are set correctly

Question 8

what are KPIs?

Answer 8

they measure how well a process is performing in terms of its stated goal. it also indicates the capabilities, practices and skills of value to the organization.

Question 9

what makes an effective KPI?

Answer 9

• provide value to the organization
• tied to a business function of service
• under the control of management
• quantitatively measured
• used repeatedly in different reporting periods/

Question 10

how can KPIs and KRIs be used together?

Answer 10

• KPIs help to identify underperforming aspects of the organizations and areas of the business that may require additional resources and attention
• KRIs provide early warnings of increased risk within the organization.

Question 11

what are the benefits of logs?

Answer 11

• analysis of log data can identify security violations and can be instrumental in forensics investigations.
• log analysis can also alert the organization to malicious activities, such as a developing attack or multiple attempts to break in.

Question 12

what is an integrated test facility?

Answer 12

ITF is a testing methodology that processes test data through production systems to test whether the systems are operating correctly.

Question 13

what is the purpose of the IS control monitoring function?

Answer 13

ensure that IT security requirements are being met; standards are being followed; and staff is complying with policies, practices and procedures of the organization

Question 14

list the steps of the IS control process

Answer 14

1. identify and confirm risk control owners and stakeholders.
2. engage with stakeholders and communicate the risk and information security requirements and objectives for monitoring and reporting
3. align and continually maintain the information security monitoring and evaluation approach with the IT and enterprise approach
4. establish the information security monitoring process and procedure
5. agree on a life cycle management and change control process for information security monitoring and reporting
6. request, prioritize and allocate resources for monitoring information security.

Question 15

why are risk monitoring and evaluation processes performed?

Answer 15

• to collect, validate and evaluate business, IT and process goals and metrics
• to monitor processes to ensure that they are performing in line with established performance metrics
• to provide reports that are systematic and timely

Question 16

what are the control assessment types?

Answer 16

1. IS audit
2. vulnerability assessment
3. penetration testing
4. third party assurance

Question 17

what is a vulnerability assessment?

Answer 17

methodical review of security to ensure that there are no predictable an unaddressed attack vectors that could be used to intentionally or unintentionally compromise an environment.

Question 18

what is penetration testing?

Answer 18

targeted attempt to break into an environment with a goal to validate a vulnerability assessment.

Question 19

name the two types of penetration testing

Answer 19

white hat or validation centric testing

black hat

Question 20

describe the risk profile

Answer 20

risk profile is based on the overall risk posture of the organization reflected in its attentiveness to monitoring the effectiveness of controls, proactivity in identifying and addressing or preventing risk and development of a risk culture

Question 21

What is a risk impact analysis?

Answer 21

a study to prioritize the critically of info resources for the enterprise based on costs or consequence of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. The assessment is used to justify the extent of safeguards that are required and recovery time frames. The analysis is the basis for establishing the recovery strategy.

Question 22

What is a critical factor in implementing a risk based approach to the SDLC?

Answer 22

adequate involvement of business representatives

Question 23

Which of the following is the MOST important consideration for an organization structuring a contract with a third party? The inclusion of a

Answer 23

confidentiality clause

Question 24

what is a capability assessment

Answer 24

A capability assessment helps determine the enterprise’s maturity in its risk management processes and the capacity and readiness of the entity to develop a risk management program. When the enterprise is more mature, more sophisticated responses can be implemented; when the enterprise is rather immature, some basic responses may be a better starting point.

Question 25

Where are key risk indicators MOST likely identified when initiating risk management across a range of projects?

Answer 25

Risk response

Question 26

Reliability of a key risk indicator would indicate that the metric:

Answer 26

flags exceptions every time they occur.

Question 27

Describe a difference between KCI, KRI,KBI and KPI

Answer 27

• KCI : Key control indicators determine if internal controls are effective.
• KRI: Key risk indicators can help to assess the impact to risk tolerance.
  -KBI: A key business indicator ensures business goals are being achieved.
  KPI: Key performance indicators ensure desired performance levels and metrics are achieved.

Question 28

The MOST important objective of regularly testing information system controls is to

Answer 28

identify design flaws, failures and redundancies.

Question 29

what is a control indicator

Answer 29

control indicators are used to determine the effectiveness of an organization’s controls designed to treat its risk

Question 30

what type of review will provide the MOST insight into an enterprise’s risk management capabilities?

Answer 30

A capability maturity model review