Page 99 - CISSO_Prep_ Guide
P. 99
The measuring of control effectiveness is often based on the
development of a control baseline. The control baseline is the
desired minimum state for the security program, and all parts of
the organization should meet that baseline. Areas of non-
compliance should be identified to management to enable
mitigation and address the risk gap.
The ways that controls can be monitored can be described as
IDOT (Interview, Document, Observe, and Test.) The risk
assessor should interview the parties responsible for the risk to
ensure that they know the procedures, are familiar with their
responsibilities, and know how to report any non-compliance.
The documentation should be up to date and current - reflecting
current procedures in use. Observing the behavior of the system
is important to ensure that the controls are operating correctly
and that the administrators of the controls are doing their
function correctly (there is often a disparity between knowing
what should be done and doing it). Testing is the actual testing
of the control to ensure it is working correctly and that the
control is, in fact, mitigating the risk. It must be remembered
that the purpose of a control is to mitigate risk, not just to be a
functioning control!
Risk monitoring is an ongoing process that must be integrated
into all business functions and be a part of all new initiatives,
business activities, and strategic investments. Major changes to
an organization's business processes such as mergers,
acquisitions, new product lines, new business models (online,
etc.) should all include risk evaluation in the planning and
deployment process. As can be seen here, risk monitoring
overlaps with and leads back into the process of risk assessment
