IVI Framework Viewer

Security Risk Monitoring

C5

Manage the on-going efficacy of information security risk handling strategies and control options.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Risk Monitoring at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Monitor the top priority security risks periodically and ensure there is high visibility on them. Establish and actively manage a basic security risk register.
    Outcome
    There is basic monitoring in place, but many security risks may not be visible.
    Metric
    Risk exposure for each identified risk and changes to risk scores % Identified risks recorded in a risk register
3Intermediate
  • Practice
    Establish a proactive security risk monitoring process within IT and some business units. Set up a central security risk register.
    Outcome
    Recording of risks in a central risk register allows for more efficient management and reporting.
    Metric
    % Identified risks recorded in a risk register
4Advanced
  • Practice
    Implement an organization-wide security risk monitoring process that includes pre-defined results/event-triggered activities. Use financial and benchmark data to validate the business/monetary value of evaluated risks.
    Outcome
    Monitoring is triggered based on certain results or events. Risks with a high-importance to the business are monitored more closely; there is more efficient monitoring with limited resources and reporting cycles. This helps detect inconsistent valuations and provides relative context for risk evaluation.
    Metric
    # Monitoring triggers % Valuations validated Comparison of estimated versus actual risk mitigation effort and impact
5Optimized
  • Practice
    Review and optimize the security risk monitoring process and continually enhance the risk register's features, efficiency, and quality of data.
    Outcome
    The monitoring process is optimized based on feedback from past security successes and failures. The risk register is maintained up-to-date and relevant.
    Metric
    % Ratio of actual reviews of the risk monitoring process to required reviews (set out in the policy/handbook) % Identified risks recorded in a risk register Frequency of updates to the risk register