Now, the final phase of the risk management life cycle is risking control, monitoring and reporting.
So ultimately you see it all ties together, we identify risks, determine the value through assessment. We respond accordingly, and then we monitor in control.
So ultimately, the main reason, of course, that we have to look at control, look at our controls and monitor and report upon them is when we make our risk mitigation strategy or we develop that risk mitigation plan and we implement our controls that may be perfectly valid for that point in time,
the threat landscape changes as our organization changes as the industry changes, you know, just the only thing constant is change, right? So we have to consider that what we put in place that may have been perfectly valid today may not be so tomorrow. So
obviously we need to monitor and control
and provide reports so that we can have the assurance that our controls are working as they should. And ultimately, what that comes down to is is the control reading its objective. Is it effectively addressing the risk that it was designed to address?
All right, so what? We're gonna do is we're gonna collect information. We have to validate it. Make sure that the information is meaningful to us and determine if the goals and metrics indicate that we're making good decisions and that we're continuing in line with a good
mitigation strategy that appropriately reduces the risk.
Remember, management owns this, right? Senior management, the business, the business, the business owns this. So it's up to them to ensure that we're continuing Now, Now, don't get me wrong. We're going to influence management. We're gonna provide them with information, but it's up to management to ensure
that they're continually making good decisions in the realm of
protecting their assets. Okay, so we have to go and start with the risk owners, right? We need to always know those risk owners are that was documented in the risk register. And that's going to tell us, you know, the ultimate authority for this particular risk.
All right, we're gonna make sure that we're in agreement with the business objectives and with the monitoring and control metrics, Uh, making sure that the alignment of those metrics is in alignment with the goals of the organization as a whole.
We're going to have already set up our procedures and processes for monitoring our report. Formats were going to determine the processes that replaced the frequency and so on. And we're gonna make sure that monitoring these resource is is given a high priority. Because, like I said,
the world's changing right, the threat lanes landscape is ever evolving. So we want to make sure that we get senior management or, at the very least, risk owner management into the importance of monitoring these controls that we've implemented
all right, and in orderto have these assessments meaningful. In order for them to be meaningful, we have to be able to get timely reports. And
when I say timely, you know. So of course we want to be able to collect the information and pull it together in a meaningful format in a reasonable amount of time. But also we want to make sure that we're evaluating these processes in a timely fashion,
and we also want to make sure that the reports that we pull would give us enough time to make any changes that are necessary. So
when we talk about timeliness, we want to make sure that that we have the resources that are necessary and that we're identifying metrics and that we're monitoring those metrics to the degree that when we fought find that things fall out of the realm of tolerance that were able to move very quickly,
the data analyst has to have a certain degree of skill set. Right? So who is going to be setting up the monitoring? Who's gonna be analyzing the logs? Do we have the tools that are necessary to make sense of thes love? You know, sometimes you get logs with just thousands and thousands of entries and do we have,
do we have the capability of reducing those audit locks? Do we have someone who's skilled to go through and pull out the metrics that are most meaningful?
Um, do we have good quality data? Are we able to get data that's meaningful? Are we able to get data that is relevant to the risks that we're that we're analyzing? Essentially. And then do we have enough? You know, sometimes if you just have
very few piece of data, you don't have enough to make a clear cut decision
or to get the full picture. So obviously there are elements that are gonna make thes control assessments better if we can
get the information in a timely fashion with skilled people. Good quality, dad. A good quantity data. All of those elements are important. And again, this has to be discussed at the very beginning of the risk assessment process. Right? We go back and talk about risk identification and then we talk about
assessment. Then we talk about mitigation.
Well, what we're doing when we're controlling is we're just ensuring all those other things that we've planned. We're just assure ensuring that they're working, right. So we've already determined the metrics for these. We've determined the processes for management, the frequency of management. So now we're just kind of carrying
what we talked about the past.