Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Information risk and security management reporting

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Information risk and security management reporting


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: blog.noticebored.com

Last Thursday, a member of the ISO27k Forum launched a new discussion thread with this poser (lightly edited):

"Having recently become an ISMS coordinator, I must prepare a monthly report to management. How does one write an information security report?ย  What should be reported?"ย 

Over the weekend we've raised and debated a bunch of ideas, such as a tiered approach, starting at the detailed operational level with effectiveness metrics for the selected information security controls, then aggregating and summarising information for less frequent reports to higher management, emphasising the business perspective (e.g. reporting not just the number of incidents, but a breakdown by severity level mapping to business impacts for senior management).

Using appropriate metrics makes sense, of course. It also occurs to me that, aside from structuring the reports according to the information security controls and incidents, you could use the information risks in a similar way. The themes and control attributes from ISO/IEC 27002:2022 (and/or your custom attributes) might also be a rational basis for grouping and reporting on the โ€˜ISMS things that are somehow relatedโ€™, particularly for the more detailed reports.

As well as reporting historical and current status information, I would probably add some analysis of the current situation, resourcing(budgets and people) and priorities plus a forward view of planswith a time horizon that again reflects the outlook of the audiences. So, for the higher levels of management, the reports would focus on fewer, more significant issues (bigger/existential risks, key business-related objectives, major projects/initiatives etc. with the supporting details possibly relegated to appendices or simply cited in lower-level reports) and look further forward towards more distant horizons.

Generalising, I envisage a reporting structure along these lines:

  • Continual/daily information used for routine, contemporaneous operational activities within the information risk and security management function, with weekly/monthly summaries fed into other reporting streams and formats e.g. โ€˜status reportsโ€™ and โ€˜ongoing activitiesโ€™ (things completed in the most recent reporting period, things in progress now, and things planned for the next reporting period/s) and โ€˜current concernsโ€™ (watchpoints) on the functionโ€™s intranet site;
  • Monthly reports exchanged with management colleagues in related specialisms such as risk, IT, HR and compliance, used to agree priorities and so coordinate approaches, dealing with any conflicts or concerns and avoiding things โ€˜falling between the cracksโ€™;
  • Quarterly business-related executive summaries for the C-suite, including notes on everything significant (initiatives, projects, budgets & resourcing, incidents โ€ฆ) and mid-term plans (looking ahead maybe a year or two);
  • Annual high-level summary reports to senior management (C-suite and Board) and, if appropriate, other significant stakeholders (owners, auditors, regulators, business partners โ€ฆ) presenting only the most significant information and longer term/strategic plans stretching a few years ahead.

In addition to these planned, regular reports, there may also be a need for ad hoc reporting on specific areas and particular audiences, such as:

  • ISMS management reports, internal audits and external audits;
  • Significant incidents and near-misses (corrective actions), plus ISMS improvement opportunities (preventive actions) i.e. projects and initiatives, including proposals for new investments;
  • Anything else that deserves to be โ€˜escalatedโ€™ up through the management layers, or needs to involve and gain wider support e.g. policies and governance aspects;
  • Whatever other reporting various audiences require e.g.for planning, structuring and coordinating infosec-related activities that cross departments, business units and/or businesses e.g. mergers and acquisitions, restructuring, new products โ€ฆ
I am tempted to turn this into a set of reporting templates for the ISO27k Toolkit, incorporating some of the other ideas debated on the Forum, but I'm not sure it's worth the effort. Every organisation has its own preferred management reporting styles, hence the templates would need to be customised anyway. Alternatively, an FAQ would capture the wisdom well enough for some readers. For now, I hope we have addressed the original poser and provided plenty of food for thought. As always, comments are welcome.
...



๐Ÿ“Œ Information risk and security management reporting


๐Ÿ“ˆ 31.47 Punkte

๐Ÿ“Œ Oracle Hospitality Reporting/Analytics 9.1.0 Reporting information disclosure


๐Ÿ“ˆ 27.22 Punkte

๐Ÿ“Œ Supply Chain Risk Management and Third-Party Risk Management: Whatโ€™s the Difference?


๐Ÿ“ˆ 25.9 Punkte

๐Ÿ“Œ Next Up: Integrating Information and Communication Technology Risk Programs with Enterprise Risk Management


๐Ÿ“ˆ 25.4 Punkte

๐Ÿ“Œ Next Up: Integrating Information and Communication Technology Risk Programs with Enterprise Risk Management


๐Ÿ“ˆ 25.4 Punkte

๐Ÿ“Œ Improve Visibility, Reporting, and Automation With Veracodeโ€™s Reporting API


๐Ÿ“ˆ 25.27 Punkte

๐Ÿ“Œ Panaseer and PwC to offer continuous and accurate measurement, monitoring, and reporting of cyber risk


๐Ÿ“ˆ 25.03 Punkte

๐Ÿ“Œ Reciprocity ZenGRC Risk Management helps manage risk posture and increase overall security


๐Ÿ“ˆ 23.56 Punkte

๐Ÿ“Œ (g+) Microsoft SQL Server Reporting Services: Wie SSRS-Reporting funktioniert


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Microsoft SQL Server Reporting Services: Wie SSRS-Reporting funktioniert - Golem.de


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Your Reporting Matters: How to Improve Pen Test Reporting


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ CORRECTING and REPLACING Secure Systems Innovation Corporation and NACD Partner to Launch Cyber Risk Reporting Service for Boards


๐Ÿ“ˆ 23.12 Punkte

๐Ÿ“Œ Report to Your Management with the Definitive โ€˜IR Management and Reportingโ€™ Presentation Template


๐Ÿ“ˆ 22.32 Punkte

๐Ÿ“Œ A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks


๐Ÿ“ˆ 21.65 Punkte

๐Ÿ“Œ A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks


๐Ÿ“ˆ 21.65 Punkte

๐Ÿ“Œ Global Enterprises Highlight Importance of Insider Risk Management and Behavioral Data Risk Prevention with Selection of DTEX InTERCEPT


๐Ÿ“ˆ 21.54 Punkte

๐Ÿ“Œ Safe Systems NetInsight: A cyber risk reporting tool for community banks and credit unions


๐Ÿ“ˆ 21.22 Punkte

๐Ÿ“Œ Oracle Hospitality Inventory Management 9.1.0 Export to Reporting/Analytics information disclosure


๐Ÿ“ˆ 19.91 Punkte

๐Ÿ“Œ Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ Defining Cyber Risk & Is the Market Ready for Integrated Cyber Risk Management? - BSW #265


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ How to Calculate Risk Appetite for Third-Party Risk Management | UpGuard


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ Governance, Risk & Compliance (GRC): Adaptiver Ansatz fรผr das Risk Management - CSO Online


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ AuditBoard Launches Third-Party Risk Management Solution, Empowering Enterprises to Tackle IT Vendor Risk at Scale


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ The national risk management center is meant to be a one-stop shop for helping private companies manage their cybersecurity risk.


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ The Growing Risk in Cyber Risk Management


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ AuditBoard Third-Party Risk Management solution empowers teams to manage their overall IT risk


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ AuditBoard Launches Third-Party Risk Management Solution, Empowering Enterprises to Tackle IT Vendor Risk at Scale


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ AuditBoard Launches Third-Party Risk Management Solution, Empowering Enterprises to Tackle IT Vendor Risk at Scale


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ SailPoint Non-Employee Risk Management reduces third-party risk


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ Cyber Risk Management Starts with Risk Quantification - Padraic O'Reilly - BSW #332


๐Ÿ“ˆ 19.63 Punkte

๐Ÿ“Œ Best Practices for Risk Assessment Reporting


๐Ÿ“ˆ 19.32 Punkte











matomo