Security Risk Monitoring
Manage the on-going efficacy of information security risk handling strategies and control options.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Risk Monitoring at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Monitor the top priority security risks periodically and ensure there is high visibility on them. Establish and actively manage a basic security risk register.
- Outcome
- There is basic monitoring in place, but many security risks may not be visible.
- Metric
- Risk exposure for each identified risk and changes to risk scores % Identified risks recorded in a risk register
- 3Intermediate
- Practice
- Establish a proactive security risk monitoring process within IT and some business units. Set up a central security risk register.
- Outcome
- Recording of risks in a central risk register allows for more efficient management and reporting.
- Metric
- % Identified risks recorded in a risk register
- 4Advanced
- Practice
- Implement an organization-wide security risk monitoring process that includes pre-defined results/event-triggered activities. Use financial and benchmark data to validate the business/monetary value of evaluated risks.
- Outcome
- Monitoring is triggered based on certain results or events. Risks with a high-importance to the business are monitored more closely; there is more efficient monitoring with limited resources and reporting cycles. This helps detect inconsistent valuations and provides relative context for risk evaluation.
- Metric
- # Monitoring triggers % Valuations validated Comparison of estimated versus actual risk mitigation effort and impact
- 5Optimized
- Practice
- Review and optimize the security risk monitoring process and continually enhance the risk register's features, efficiency, and quality of data.
- Outcome
- The monitoring process is optimized based on feedback from past security successes and failures. The risk register is maintained up-to-date and relevant.
- Metric
- % Ratio of actual reviews of the risk monitoring process to required reviews (set out in the policy/handbook) % Identified risks recorded in a risk register Frequency of updates to the risk register