Professional Documents
Culture Documents
12 - Risk Reporting Template
12 - Risk Reporting Template
12 - Risk Reporting Template
• The quarterly risk dashboard view is organized first by the high-level risk types (Table A from the
scenario template) and then by the top risk scenarios.
• The risk posture is evaluated based on incident trends, tolerance thresholds, concentrations of issues
and key risk indicators (KRIs).
• This template is designed to cover IT risk broadly and is not intended as a cybersecurity deep dive.
• Depending on the enterprise, it may be appropriate to add a page to the beginning covering changes
to the regulatory environment and/or the threat landscape.
• This template includes some pages that may be too detailed for senior leadership but can be helpful
as supporting materials.
• Start simple
Crawl Walk Run Fly • It is never too early to
measure and quantify risk.
Even the GEN1 report measures impact
on several dimensions.
Overview
8 © 2020 ISACA All rights reserved. Breach of upper threshold Risk exposure decreasing
Issue Concentrations by Risk
Commentary
Risk Category Issues
Service Quality 12
Product Delivery 3
Under Analysis 5 2 1 2
Mitigation In Progress 6 1 3 2
Accepted/Closed 14 9 5 0
Total 25 12 9 4
SOC2 Audit - - 0 - 0
BCM Tabletop - 7 - - 7
Regulatory Exams 3 - 3 - 6
Compliance Testing 0 1 1 4 6
Commentary
Added external monitoring tools and synthetic user accounts Launch of new CRM for customer service might result
to proactively identify issues. in an initial incident uptick but then improve operations
Website outages ꭓ The rollout of Project Sierra has made the production in the long term.
environment unstable. Completion of the cloud migration will increase DR
capability.
Enrollment of systems into break-glass service is on track, Enrollment into break-glass system will be completed.
Changes made to wrong IT with Tier 1 systems all enrolled. Busy release schedule may stress existing controls.
environment Additional banners added to CRM system to identify the
environment.
Data & System Protection (CISO)
Dedicated QA resources hired for customer service team. Until it is tuned, new alerting system will briefly
Personal information sent to increase potential incidents to investigate.
wrong recipient ꭓ The four-eyes check not yet added to all customer
touchpoints.
Product Delivery (CTO)
Potential M&A targets being evaluated. Platform strategy presentation is scheduled for next
Insufficient capacity client advisory board meeting.
planning for new products ꭓ Project Pluto delayed due to insufficient capacity planning.
Pipeline for new services will increase.
SEV1: 0 List the key reasons for Take action to bring risk back
Website outages R 48%
tolerance levels or trends. within thresholds.
SEV2: 0
SEV1: 0
Malicious PII disclosure A 72%
SEV2: 2
SEV1: 0
Client account takeover G 85%
SEV2: 0
No metrics available
Within thresholds Risk exposure increasing
1% to 25% of metrics available
Breach of lower threshold 26% to 50% of metrics available No change
15 © 2020 ISACA All rights reserved. 51% to 75% of metrics available
Breach of upper threshold Risk exposure decreasing
76% to 100% of metrics available
Key Metrics Based on Tolerance
Lower Upper Mitigation
Risk Metric Description Threshold Threshold Q3 Q4 Q1 Target
Malicious PII
# of high-rated vulnerabilities aged >90 days on Internet-accessible systems 0 ≤20 1 1 0 N/A
Disclosure
Malicious PII
% of users with persistent local administrator privileges on endpoint devices ≤1% ≤2% 30% 29% 28% Q3
Disclosure
Malicious PII
% of users being phished by quarterly campaigns ≤10% ≤20% 21% 9.3% 8.4% N/A
Disclosure
Malicious PII
% of endpoints that have full disk encryption enabled 100% ≥95% 86% 98% 100% N/A
Disclosure
Malicious PII
% of endpoints with DLP agent active 100% ≥95% 96% 99% 99% Q2
Disclosure
Commentary
Key person risk is pervasive across multiple teams SEV1: 2 • New employees
Service Quality CTO $10M $200M
and geographies in the IT organization. SEV2: 5 • Aggressive business growth
wrong recipient
N/A On Track
28%
COST: $0
Q1 ‘YY
$8M $44M $15M REV: $0
1,552 devices
Malicious PII disclosure Past Due
(theft)
COST: $10k
Q2 ‘YY
$4M $12M $1M REV: $0
Recent Developments:
99%
+ Added four-eyes check on billing confirmation emails to clients.
+ Confirmed insurance policy covers most of the notification and investigation 1,552 devices
costs.
- Identified further gaps in tools and technologies to prevent confidentiality
issues.
- Project to remove credit card details from billing confirmation emails has
been delayed.