2023 IT Examiner School

Risk Monitoring & Reporting: Key Risk Indicators (KRIs)

• Provide early warning • Provide back-ward looking view on risk events • Enable documentation and analysis of trends • Provide indication of risk appetite and tolerance

• Align controls with business objectives • Demonstrates Governance & oversight

• Examples of KRIs • Network Latency Reports • Frequency or Volume of locked accounts • Number of block IP addresses on a IPS or Firewall • Number of trouble/incident tickets • Out of date virus signatures or unpatched systems

Risk Assessment: Control Testing • Assurance testing or self assessments on controls if documented, demonstrates risk monitoring. • Metrics reporting provides evidence of conformance with policies and procedures. • Independent review to test controls reduce bias, increase capabilities, and increase knowledge about threats and technologies. • Independence gives credibility to the test results. • The reports generated from the tests should be prepared by individuals who similarly are independent.