ADWEA - IS - Risk Monitoring and Reporting v1

Effective Date: Xst of Xxx 20XX
Volume Chapter Version

ITGOVERNANCE X X X
Page 1 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
INFORMATION SECURITY RISK MONITORING &

REPORTING
DESCRIPTION TITLE SIGNATURE
Prepared By Job Title/or Section/or Department
Reviewed By IMS Representative
Reviewed By Technology Advisor
Planning & Development

Endorsed By
Director/or a Committee
Endorsed By Director General
Approved By Chairman
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
ITGOVERNANCE X X X
Page 2 of 15
Chairman:
CHANGES HISTORY SHEET
DOC. PAGE NEW ISSUE DOC. CHANGE

CHANGE SUMMARY OF CHANGE
NO. DATED REQUEST NO.
NO.
Table of Contents
ITGOVERNANCE X X X
Page 3 of 15
Chairman:
1 SUMMARY.............................................................................................................................................................. 5
2 GENERAL APPLICABILITY.................................................................................................................................... 5
3 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS.......................................................6

3.1 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS DIAGRAM..............................................................................6
3.2 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS DETAILS................................................................................7
3.2.1 Purpose................................................................................................................................................................................7
3.2.2 Detailed Activity Descriptions..............................................................................................................................................7
3.2.3 Responsibilities and Accountabilities.................................................................................................................................12
4 REFERENCES........................................................................................................................................................ 14
5 APPENDICES........................................................................................................................................................ 15
5.1 DEFINITIONS..........................................................................................................................................................................15
ITGOVERNANCE X X X
Page 4 of 15
Chairman:
1 SUMMARY
The results of the risk assessment and treatment process need to be monitored and reviewed
for ongoing risk management, and to ensure their continued suitability. The monitoring and
review of information security risks should be a planned part of the risk management process,
and involve regular checking or surveillance as well as improvements when significant
changes occur.
Communication and consultation with key stakeholders should take place during all stages of
the risk management process. Therefore, plans for communication and consultation should be
developed at an early stage. These should address issues relating to the risk itself, its causes,
its consequences (if known), and the measures being taken to treat it. Effective external and
internal communication and consultation should take place to ensure that stakeholders and
those accountable for implementing the risk management process understand the basis on
which decisions are made, as well as the reasons why particular actions are required.
2 GENERAL APPLICABILITY
This process is applicable to all aspects of ADWEA Information Security Risk Management
System / Process and any Information Security Program initiated in response to it, covering
both Information Technology and Operation Technology Departments within the ADWEA
group.
ITGOVERNANCE X X X
Page 5 of 15
Chairman:
3 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS
4 Information Security Risk Monitoring and Reporting Process Diagram
ITGOVERNANCE X X X
Page 6 of 15
Chairman:
5 Information Security Risk Monitoring and Reporting Process Details
6 Purpose
Risk monitoring defines the process to monitor and test the effectiveness of the
treatment options implemented by ADWEA. The entitys monitoring and review
processes should encompass all aspects of the information security risk
management process for the purposes of:
o Ensuring that controls are effective in the risk management they are
achieving.
o Integrating new information to improve the risk assessment and/or
treatment.
o Analyzing and learning lessons from events (including near-misses),
changes, trends, successes and failures.
o Detecting changes in the external and internal context, including changes to
risk criteria and the risk itself, which can require revision of risk treatments
and priorities.
o Vulnerability Assessment are conducted frequently even after
implementing security controls to identify emerging risks, new threats,
trends, etc.
Risk communication / reporting defines the process to communicate and report
the progress of the overall information security program between external parties
like NESA, CIIP Sector Working Group, Sector Regulator and internally within the
Organization.
7 Detailed Activity Descriptions
7.1.1.1 Monitor Risk Treatment Plan Progress

This section describes the process to monitor and test the effectiveness of the
Treatment Plans implemented by ADWEA based on the outcomes of the Risk
Assessment Process.
7.1.1.1.1 Establish Monitoring Roles and Responsibilities
The first step to Risk monitoring is to ensure that Organization-wide risk
management (RM) roles and responsibilities are clearly identified and
documented in ADWEA Risk management policy and process document. For the
ITGOVERNANCE X X X
Page 7 of 15
Chairman:
purpose of risk monitoring and reporting the Roles and responsibilities section
(4.2.3) within this document serves this purpose.
7.1.1.1.2 Establish Risk Monitoring Scope
Monitoring and review shall be a planned part of the Risk Treatment Plan and
involve regular checking, surveillance and updates to ADWEAs Risk Treatment
Plans. Monitoring shall be a continuous process to identify any changes relevant to
information security risk management.
7.1.1.1.3 Establish Schedule
As monitoring will be an ongoing process, the ADWEA shall execute these tasks at
least once every quarter, according to defined roles and responsibilities. The
ADWEA will report progress of the treatment activities as defined by the Sector
Regulator.
7.1.1.1.4 Establish KPIs
To have measurable data for assessing ADWEA maturity level, the KPIs as
described in Table below shall be analyzed and reported. The results shall be
incorporated into ADWEAs overall performance management, measurement, and
external and internal reporting activities.
KPI Description
1 - Progress in implementing risk Several performance indicators to show progress:

assessments and treatment options
1.1 Percentage of critical classified assets that have completed
plans.
RA process.
1.2 Percentage of treatment options already deployed.
1.3 Based on implementation project management schedule,
percentage of completed time to complete RA process scheduled
time and a note with forecast of when the rest will be completed.
1.4 Implementation target for P1 controls.
2 - Mean score for P1 controls. Mean score of Risk Ratings for P1 controls.
3 - Percent change from last report in Percentage change of Risk Ratings from last report in P1 controls.
P1 controls.
4 - Mean score for P2, P3 and P4 Mean score of Risk Ratings for P2, P3 and P4 controls.
controls
5 - Percent change from last report for Percentage change of Risk Ratings from last report in P2, P3 and
P2, P3 and P4 controls. P4 controls.
ITGOVERNANCE X X X
Page 8 of 15
Chairman:
6 - Percent of controls identified as Percentage of controls identified as N/A.

N/A.
7 - Progress in Maturity Level. Metric based on Risk Assessment Questionnaire with year over
year, quarter over quarter and present-to-last RA Questionnaire
analysis.
Performance indicators should be taken for individual maturity
categories and for overall maturity level.
Two main performance indicators:
1 Measured as number of observed incremental levels achieved.
2 Average maturity level score.
7.1.1.2 Prepare Risk Treatment Progress Report

Monitoring and review results shall be recorded, and externally and internally
reported as appropriate, and also used as input for the review of the information
security risk. The risk treatment progress report must include the following
essentials.
o Completed risk treatment activities: the treatment options already
implemented.
o Implementation schedule: schedule for treatment options not yet deployed.
Should include needed resources and any potential constraints.
o Impacts to entity: list possible risk impacts (ratings), per treatment option,
while treatment is not completed.
o KPI: include calculated Progress in implementing Risk Treatment Plans
performance indicators. (as suggested under section 3.2.2.1.4)
o Emerging risks: Document observed/ emerging risks, new threats or trends
with possible impacts for the entity.
7.1.1.3 Internal Reporting
Internal reporting shall focus on the progress of implementing Risk Treatment
Plans, including all available KPIs. Based on the defined schedule as noted in
section 4.2.2.1.3, internal reports must be sent to ADWEA stakeholders as outlined
in Risk Management roles in section 4.2.3.
ITGOVERNANCE X X X
Page 9 of 15
Chairman:
7.1.1.4 Internal Self Assessments (ongoing)

An ongoing internal self-assessment should be seen as a proactive method to
evaluate the actual posture of the information system independently of the Risk
Treatment Plans. The outcome is valuable for ADWEA risk management plan as
input for risk treatment plan improvement, as it can show evidences of needed
actions or resources not foreseen.
The outcome is valuable for ADWEA risk management plan as input for risk
treatment plan improvement, as it can show evidences of needed actions or
resources not foreseen.
Some of the possible activities are self-audits, reassessing maturity based on
interviews and questionnaires, and quarterly reviews of vulnerability scans.
7.1.1.5 Continuous Process Improvement
Ongoing monitoring and review is necessary to ensure that the context, the
outcome of the risk assessment and risk treatment, as well as management plans,
remain relevant and appropriate to the circumstances.
The ISGC (Information Security Governance Committee) shall meet every quarter
to proactively review and improve the risk management process.
7.1.1.6 External Risk Reporting
This section defines the monitoring and reporting from CII Operators to NESA, CIIP
Sector Working Groups and the Sector Regulator.
7.1.1.6.1 Establish Roles and Responsibilities
The most important step to External reporting is to first establish relevant roles
and responsibilities are clearly identified and documented in ADWEA Risk
management policy and process document. For the purpose of external risk and
reporting the Roles and responsibilities section (4.2.3) within this document
serves the purpose.
7.1.1.6.2 External reporting requirements
7.1.1.6.2.1 Gathering of Threat Intelligence
ADWEA shall participate in a variety of cyber security information sharing
platforms (e.g., threat intelligence databases) at both the national and
international level, taking into account the information sharing policy developed
by ADWEA in compliance with NESA and any other regulations or guidance in this
regards.
ITGOVERNANCE X X X
Page 10 of 15
Chairman:
NESA will communicate threat intelligence involving CII Sectors, and lead, through
inter- sector and international communications, on threat intelligence and best
practices information sharing as deemed appropriate
7.1.1.6.2.2 Developing Sector Improvement Plan
Sector Regulators will consolidate all the Risk Assessment Major Findings from
ADWEA CII Operator Report and send them to NESA. The major findings
applicable to more than one entity within the same sector are also sent to the CIIP
Working Group, along with prioritized recommendations for their treatment.
Sector Regulator and NESA will re-calculate ADWEAs risks ratings, taking into
account the Sectors and National Risk Measurement Criteria, which is detailed in
NCRMF Volume 2, and include them in the consolidated report.
With this information CIIP Sector Working Groups will, together with NESA,
elaborate a Sector Improvement Plan report containing:
o Sector-wide threat list.
o Sector-wide risk trends.
o Sector-wide maturity in context of cyber security management.
o Treatment tasks to be accomplished.
o Resources required to accomplish the tasks.
o Milestones required to meet the tasks.
o The scheduled completion dates for the milestones.
o Reporting of the Sector Improvement Plan.
o Updated KPIs.
7.1.1.6.2.3 Monitoring of Sector Improvement Plan Implementation
The Sector Regulator, with the CIIP Sector Working Group, will monitor the
implementation of the Sector Improvement Plan and report its progress back to
NESA. The Sector Regulator will report the following on a regular basis:
Current state of the Sector Improvement Plan, including, but not limited to:
o Completion Status and Milestone update.
o Risks and Issues.
o Constraints.
ITGOVERNANCE X X X
Page 11 of 15
Chairman:
o Additional Cyber Security Risks.

o Any Cyber Security Incidents.
o CII Operator tasks to be accomplished.
Improvement of CII Operator Risk posture.
Additional resources required to accomplish the tasks.
Updated KPIs.
Latest CII Operators Risk Assessment Major Findings and Treatment Plans.
Alert observed emerging risks, new threats or trends with possible impacts for CII
Operators.
7.1.1.6.2.4 Establish KPIs to Measure Risk Management
NESA will engage Sector Working Groups to establish any additional KPIs and
targets or modify existing ones for monitoring the implementation progress of the
Sector-wide Security Plans as and when necessary.
8 Responsibilities and Accountabilities
The section below outlines the roles and responsibilities associated with the risk
monitoring , review and reporting process. It is categorized primarily under internal
monitoring and reporting and specific to external reporting requirements.
9 Roles and responsibilities related to internal monitoring and reporting
Teams Roles Responsibilities
ISGC (Information Security Leadership team from all Overall responsibility for risk
Governance Committee)
concerned business units or management.
departments. Confirm monitoring goals and
objectives with Sector Regulator.
Review risks to the business on an
ongoing basis.
Track CII risk management activities.
Report Risk Assessments and
Treatment progress to Sector Regulator
and NESA.
ITGOVERNANCE X X X
Page 12 of 15
Chairman:
Department Managers Management Team (Managers Monitor risk progress and

improvements.
or Directors) from all business
units conducting Risk
Assessments.
IT Security Analyst Analysts or Subject Matter Track risk treatment activities.

Experts from Cyber Security Prepare Risk Treatment Progress
and other business units. report to deliver to CISO.
Prepare Risk Treatment report for
CISO.
Update risk assessment methodology
after a team review.
Create/update risk assessment tool.
Track external events, such as changes
to the legal or regulatory environment,
changed contractual obligations, and
changes in social climate.
Identifying emerging risks, new threats,
trends, etc.
10 Roles and responsibilities related to external reporting requirements
Teams Responsibilities
NESA Create Sector Improvement Plan.

Monitor Sector Improvement Plan progress.
Establish KPIs for monitoring Implementation Plan.
Monitor CII Operator Treatment Plans.
CIIP Sector Working Group Create Sector Improvement Plan.
Monitor Sector Improvement Plan progress.
Sector Regulator Consolidate CII Operator Reports.
Monitor CII Operator Treatment Plans.
Implement Sector Improvement Plan.
Report Sector Improvement Plan progress.
Monitor KPI for Sector Improvement Plan.
ADWEA Implement sector improvement plan.
ITGOVERNANCE X X X
Page 13 of 15
Chairman:
11 REFERENCES
Item Description
ITGOVERNANCE X X X
Page 14 of 15
Chairman:
12 APPENDICES
12.1 Definitions
Glossary Acronym (if any) Definition

Information Security InfoSec Preservation of the availability, integrity, and
confidentiality of information
Availability A Property of being accessible and usable upon

demand by an authorized entity
Integrity I Property of protecting the accuracy and
completeness of asset
Confidentiality C Property that information is not made available
or disclosed to unauthorized individuals, entities,
or processes
Policy Overall intention and direction as formally
expressed by management
Process Set of interrelated or interacting activities which
transforms inputs into outputs
Procedure Specified way to carry out an activity or process
Exception Any deviation from security policies and
standards
Process Owner Person or role who has ultimate responsibility
for the performance of a process
Standard Technical specification contained in a document
consisting of definitions, limits, or rules which
have been approved and are monitored for
compliance
System A combination of related parts organized into a
complex whole; a method or set of procedures
for achieving something, including both services
and processes
Control means of managing risk, including policies,
procedures, guidelines, practices or
organizational structures, which can be of
administrative, technical, management, or legal
ITGOVERNANCE X X X
Page 15 of 15
Chairman:
nature
Risk management set of components that provide the foundations
framework and organizational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management
throughout the organization
Risk management statement of the overall intentions and direction
policy of an organization related to risk management
Risk owner person or entity with the accountability and
authority to manage a risk
Stakeholder person or organization that can affect, be
affected by, or perceive themselves to be affected
by a decision or activity
Level of risk magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk risk remaining after risk treatment
Level of risk: magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation: process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk: risk remaining after risk treatment

ADWEA - IS - Risk Monitoring and Reporting v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ADWEA - IS - Risk Monitoring and Reporting v1

Uploaded by

Copyright:

Available Formats

Effective Date: Xst of Xxx 20XX

Volume Chapter Version

INFORMATION SECURITY RISK MONITORING &

Prepared By Job Title/or Section/or Department

Reviewed By IMS Representative

Reviewed By Technology Advisor

Planning & Development

Endorsed By Director General

CHANGES HISTORY SHEET

DOC. PAGE NEW ISSUE DOC. CHANGE

3 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS.......................................................6

3.2 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS DETAILS................................................................................7

3.2.2 Detailed Activity Descriptions..............................................................................................................................................7

3.2.3 Responsibilities and Accountabilities.................................................................................................................................12

3 INFORMATION SECURITY RISK MONITORING AND REPORTING PROCESS

4 Information Security Risk Monitoring and Reporting Process Diagram

5 Information Security Risk Monitoring and Reporting Process Details

7 Detailed Activity Descriptions

7.1.1.1 Monitor Risk Treatment Plan Progress

1 - Progress in implementing risk Several performance indicators to show progress:

6 - Percent of controls identified as Percentage of controls identified as N/A.

7.1.1.2 Prepare Risk Treatment Progress Report

7.1.1.4 Internal Self Assessments (ongoing)

o Additional Cyber Security Risks.

8 Responsibilities and Accountabilities

9 Roles and responsibilities related to internal monitoring and reporting

Teams Roles Responsibilities

Department Managers Management Team (Managers Monitor risk progress and

IT Security Analyst Analysts or Subject Matter Track risk treatment activities.

10 Roles and responsibilities related to external reporting requirements

NESA Create Sector Improvement Plan.

Glossary Acronym (if any) Definition

Availability A Property of being accessible and usable upon

You might also like