Welcome » IT Booklets » Information Security » II Information Security Program Management » II.D Risk Monitoring and Reporting
Risk monitoring is a process by which the institution tracks
information about its inherent risk profile and identifies gaps in
the effectiveness of risk mitigation activities. Risk monitoring
should address changing threat conditions in both the institution
and the greater financial industry. Threats change frequently,
particularly in terms of the threat's capabilities and intentions,
as well as the vulnerabilities they may exploit. Vulnerabilities in
software are continually announced, and other vulnerabilities may
emerge as the institution's systems are modified or updated.
External requirements, including the use of new third-party service
providers, also may change the institution's inherent risk
Risk reporting is a process that produces information systems
reports that address threats, capabilities, vulnerabilities, and
inherent risk changes. Risk reporting should describe any
information security events that the institution faces and the
effectiveness of management's response and resilience to those
events. The reporting process should provide a method of
disseminating those reports to appropriate members of management.
The contents of the reports should prompt action, if necessary, in
a timely manner to maintain appropriate levels of risk.