ISACA CRISC – Risk and Control Monitoring and Reporting

  1. Module Overview

Welcome to the Isaac Risk Management Preparatory Course. This is the last module of a total of five modules on risk and control. Monitoring and reporting means continuous monitoring and reporting of its controls and risks to relevant stakeholders. to ensure the continued effectiveness of its risk management strategy and its alignment with business objectives. In this module, we will mainly learn about the difference between key risk indicators and key performance indicators, as well as monitoring and assessment techniques.

Some topics we will address are: what are key risk indicators? What are the benefits of key risk indicators? What are performance indicators? What data source can be used for risk monitoring and reporting? What are the types of assessments of safety controls and risks? With this, we complete the risk management lifecycle, which began with risk identification and progressed to risk assessment, risk response and mitigation, and now risk and control. Monitoring and reporting are very objective and compact, as is the content of the risk certification. All sessions are very important. This last section, for example, equals 22% of the certification test. That is why it is important to make clear in our minds the main objectives of monitoring and reporting so that we can properly analyse issues related to this era of knowledge. Let’s go.

  1. What are Key Risk Indicators?

When monitoring is broad enough to provide a reasonable view of the risk environment but not so broad that the results become lost in a fluid of data, the risk professional is able to better manage the risk. Monitoring is the management tool, and as we are talking about risk management, this module is of extremely high relevance not only for the organisation but also for the risk professional to conduct more quality work today, ensuring that risk management delivers to the company the value that is expected. The company relies on its monitoring and reporting functions to identify risk for assessment and mitigation.

Monitoring is essential, but its effectiveness depends largely on its successful integration with reports. When it comes to monitoring, a key concept is the key risk indicator. Risk indicators are used to measure risk levels against defined risk thresholds so that the organisation receives an alert when a level of risk approaches an unacceptable level. Key risk indicators comprise a subset of highly relevant risk indicators and are highly likely to project or indicate significant risks. By putting traceability and reporting mechanisms in place to alert responsible professionals to a potential risk, the organisation is given the opportunity to respond to the risk before it produces undesirable results. Note that this is an extremely complex concept that should be concretely translated into indicators and will require an effort from the risk professional and the organisation to be effectively defined.

Key risk indicators include the number of unauthorised pieces of equipment or software discovered on its premises, as well as the number of service level agreements that exceed the three-shot average hold time due to operational incidents. Common mistakes made when implementing key risk indicators include that they are not limited to specific risks, are incomplete or inaccurate due to unclear specifications, and are difficult to measure, aggregate, compare, and interpret. They provide results that cannot be compared over time or linked to business goals. How these points are relevant and what mistakes are usually made Key risk indicators must be selected carefully, and their effectiveness depends largely on the strength of their metrics. Good metrics are smart, which means they should be specific based on a clearly understood objective, clear, and consistent. They should be measurable or able to be measured; they should be quantifiable and objective, not subjective. They should be achievable and realistic based on important goals and values, directly related to a specific activity or objective, and timely based on a specific time period.

  1. What are the benefits of KRIs?

The organisation benefits directly from the use of key risk indicators in many ways, and here we will see some of them. The first is to provide an early warning signal, a foresight that the risk is emerging, to enable management to take proactive action before the risk actually becomes a loss. Another benefit is that key risk indicators provide insight into the past from risk events that have already occurred, enabling risk response and improving risk management. Key risk indicators also enable documentation and analysis of risk trends within the organization.

This aspect is related to the early warning but goes further. The warning is about a specific, objective, and unique risk. The view of trends as patterns of behaviour and macro-actions at the global level They are part of the risk management intelligence that allows risk professionals to truly add value to the company, bringing benefits that would not be easily identified without risk management. Finally, they also assist in the continuous improvement of risk governance and environmental management. Risk indicators should be identified for all key stakeholders of the company and provide different perspectives for different teams. An operations coordinator will have completely different risk indicators than a CEO, but our risk visions are necessary and add value to the company. So the risk professional must work with all relevant stakeholders to ensure engagement and ownership. To ensure accurate and meaningful reporting, key risk indicators must be optimised to ensure that the correct data is being collected and reported and that the thresholds are set correctly.

  1. What are key performance indicators?

Key performance indicators, abbreviated as KeyPi, are widely used for management. In general, performance indicators measure the performance of a process in terms of its stated objective. They are implemented to provide information about whether an action may be required. A key performance indicator is a performance indicator that predicts whether an objective will be met and identifies the organization’s resources, practices, and valued skills. Smart principles are specific, measurable, achievable, relevant, and timely, in addition to complying with the same key risk indicators. They should also add value to the business, not just yours. It must be linked to a business function or service, be under the control of management, be measured in quantitative form, and be used repeatedly in different reporting periods.

Key performance indicators place emphasis on the process and should be good health indicators for the process as a whole. For example, the time required to implement a security patch is manageable by management, which can establish policies, define the process of change management, identify the objectives that must be achieved, and establish the culture of resources to execute the activities. Some examples of key performance indicators are the level of network availability, the level of customer satisfaction, the number of calls resolved after the first contact, the time between requesting and answering data, and the number of employees going to awareness training. The risk professional should remember that the purpose of a control is to mitigate a risk. The purpose of the control monitor is to verify that the control is effective in addressing the risk and not to see if the control itself is working.

  1. What data sources can be used for risk monitoring and reporting?

And to carry out risk monitoring and repricing. Which data source can be used? In principle, any source that provides information that can somehow help to access the level of risk can and should be used, and this will vary from company to company. It is necessary to always be observing the environment to identify the best source. We will see some of the most important ones here, but there are also the simple stones, such as past risk assessment, project documents, lessons learned, call logs, changes made in the environment, incident reports, user feedback, interviews with management, and security tests.

The first data source we are going to talk about is the log. Logs literally mean records. These records are provided by systems, devices, and applications and are the most popular and consistent way to capture and store data for analysis, not only for security but also for performance and administration. In these log analyses, secure networks can be identified and used as an instrument for forensic investigations. In addition, logs can also serve as a warning of malicious activity, such as an attack being carried out or multiple attempts to break security. They can also be used to track attacks and support the strengthening of controls when necessary. Surely everyone who is watching this training has already had some kind of contact with logs, and they know there must be a balance between speed, detail, and utility. If the log contains too much data from many different devices, it may be difficult to verify significant events.

The key is to find the right level of logs for just the relevant events. Continuous improvement requires administrators who are always interested in changing the environment. Timing is a key factor for logging events, since our logging trustability and correlations of multiple source logs depend on the correct time between our logging sources. At the end of the day, record data and control activities should help answer the following questions: Questions: Are the controls operating correctly? Is the level of risk acceptable? Is the strategy for managing risk and securing controls aligned with the business strategy and priorities? Are the controls flexible enough to contain evolving threats? Is the correct risk data being provided in a timely manner? Is risk awareness and compliance dependent on user behavior? These questions are just examples, but they already demonstrate how critical logs are to a company and why they should be treated seriously.

Logs may contain information that is sensitive or necessary for forensic purposes, so they must be configured in ways that prevent change or deletion, as well as prevent unauthorised access. This secure configuration must be applied even for security monitoring results, and this demonstrates how cyclical the security management and risk management processes are. The next item is the event correlation tool, also called CA, which comes from security information and event management. CA tools are very much associated with the logs themselves, but they enhance their benefits. CAS captures data from several different sources and analyses the activity of systems, applications, and networks reported by this data source to correlate these records and identify secured events. CAS are powerful tools for risk management. Administrators are only able to manually evaluate logs if the source is very limited.

Any medium or lag environment should use the NCAA Integrated Test Facility, which is a testing methodology that processes test data through production systems to verify that systems are operating correctly. Through these integrated test facilities, the organisation can create fictional customers or transactions that are processed through real data, allowing business analysts to observe the operation of the production system to ensure correct processing. Finally, every risk professional should also observe external sources of information to check for additional insights that he could not only get by looking at the internal data. This external source can be media reports, incident response teams, reports such as SARC, for example, company reports or security labs, regulations, or even other organisations in the market. This exchange of information is very beneficial to all parties. It is therefore important for the risk professional to participate in risk and safety forums, seminars, and events to establish connections with other risk professionals from other companies in order to leverage knowledge from each other’s experiences. This goes beyond any competition between companies.

  1. What are the types of assessments of safety controls and risks?

Effective monitoring of safety controls and risks depends on the accuracy and completeness of the data provided for evaluation. The risk professional must ensure that the data received is genuine and error-free. Data that can be obtained directly by the risk professional is preferred. With data provided by 30 parties, the following are the types of assessments: famous assessments, security controls, and risks. The first type is information security audits or information systems audit teams that provide independent and objective reviews of the effectiveness and adequacy of the control environment. The information provided by the information systems auditors can highlight the need to improve controls and bring the risk to the attention of managers. By working closely with the audit team, the risk professional can align the risk management programme with the audit programme and provide data to support the auditors.

Audit team recommendations should often require the attention of the risk professional by updating risk action plans and risk recording as well as improving execution of control or requiring new controls. The next type of assessment is borned ability assessments, which are a methodological review of security to ensure that there are no unplanned or untargeted attack vectors, such as unnecessary parts or services that can be used intentionally or unintentionally to compromise the environment. The purpose of a vulnerability assessment is to provide managers with information that can be used to understand the effectiveness of their risk management programme and to make decisions regarding the treatment of identified vulnerabilities, such as the implementation of new controls. A penetration test is a break-in attempt. It can be carried out as a helper application, a physical installation, or a business process.

Usually, the purpose of the penetration test is to validate a vulnerability identified in the vulnerability assessment. If the professional who performs a penetration test can break the system, then the vulnerability is real and must be mitigated. False positives can also be detected through the penetration test to get the job done. The professionals who perform the penetration test often use the same tools hackers use to try to break into systems. These can pose risks to the company, so penetration testing should always be performed with explicit management approval using a defined and aligned method under appropriate supervision. Finally, the organisation may contract with third parties to provide guarantees attesting to the effectiveness or quality of its risk management and information security program. This third-party guarantee may be in the form of an external audit or even a recognised-body certification. The third is responsible for evaluating the process against the requirements of the standard set for the evaluation.

  1. Key Points

Well, we have finished the 50 Risk and Control, Monitoring, and Remediation module, where we understood how to monitor risk and the importance of the indicators for this monitoring. At the end of the module, we hope that each student is able to answer the questions that have been asked and that they are very clear about the reason for each answer. The first question was: What are the key risk indicators? We have seen that there are specific risk indicators developed to facilitate the visibility of key risk management factors. These indicators measure the level of risk against the defined thresholds and are essential for all stakeholders to follow the organization’s current risk scenario.

Next, we saw that the benefits of key risk indicators are anticipated warnings of possible unwanted events, a more conscious view of the past, a certain perspective of trends in risk-related events that are occurring in the company, and of course continuous improvement of the life cycle of risk management. The next question was, “What are the performance indicators?” where we saw that they are indicators that measure the performance of a process and must have value for the business and be measured in a quantitative way. Processes are a constant source of risk, and poor performance may put the entire enterprise operation at risk. In this sequence, we have looked at which data sources can be used for monitoring and risk reporting, which are summarised in the logs, event correlation tools, integrated test facilities, and external sources of information. However, at the end of the day, anything that can be used to monitor risk can and should be used, and these are just the most common ones that have been compiled. Lastly, we have seen what types of security and risk contract assessments are available, including information system audits via a visit assessment, penetration tests, and 30-part guarantees that can be contracted.

  1. Thank You!

Well, that’s the end of the 50 modules on risk and control, monitoring, and reporting. Risk management serves the purpose of the organization, and as the organisation evolves over time, risk management must be a continuous cycle that recognises the dynamic nature of risks and the need for ongoing monitoring and evaluation. Change in what we call the risk profile can occur for a variety of reasons, such as the emergence of new technologies, changes in business processes, acquisitions that are merged, new laws or regulations, changes in customer expectations, and the actions of competitors. This module also completes the training. We have seen that risks must be identified, evaluated, answered, and monitored, and that details of the mechanisms of each phase of the risk management lifecycle according to the ISAACA method are collected in the certification exams.

It is important to remember that certification should never be an end in itself. The risk professional should always seek to improve his knowledge, add value to the company, and find purpose in the production of the product or service offered by the company to the market. Situation is a financially recognised symbol that you have studied the subject, have the necessary knowledge, and are ready to add and bring benefits, act with purpose, provide risk visibility, and contribute to the creation of value in your business. This is why we need more committed and well-prepared professionals who raise quality standards and make a difference in the environment where they work. It’s no use making an excuse to complain about your situation. Only you are responsible for where you are today. Revolutionize your life and make a difference. I hope you enjoyed it, and I thank you all for participating with me in this risk management training. Thank you.