Escolar Documentos
Profissional Documentos
Cultura Documentos
Approved By Chairman
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 2 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
Table of Contents
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 3 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
1 SUMMARY.............................................................................................................................................................. 5
2 GENERAL APPLICABILITY.................................................................................................................................... 5
3.2.1 Purpose................................................................................................................................................................................7
4 REFERENCES........................................................................................................................................................ 14
5 APPENDICES........................................................................................................................................................ 15
5.1 DEFINITIONS..........................................................................................................................................................................15
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 4 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
1 SUMMARY
The results of the risk assessment and treatment process need to be monitored and reviewed
for ongoing risk management, and to ensure their continued suitability. The monitoring and
review of information security risks should be a planned part of the risk management process,
and involve regular checking or surveillance as well as improvements when significant
changes occur.
Communication and consultation with key stakeholders should take place during all stages of
the risk management process. Therefore, plans for communication and consultation should be
developed at an early stage. These should address issues relating to the risk itself, its causes,
its consequences (if known), and the measures being taken to treat it. Effective external and
internal communication and consultation should take place to ensure that stakeholders and
those accountable for implementing the risk management process understand the basis on
which decisions are made, as well as the reasons why particular actions are required.
2 GENERAL APPLICABILITY
This process is applicable to all aspects of ADWEA Information Security Risk Management
System / Process and any Information Security Program initiated in response to it, covering
both Information Technology and Operation Technology Departments within the ADWEA
group.
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 5 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 6 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
6 Purpose
Risk monitoring defines the process to monitor and test the effectiveness of the
treatment options implemented by ADWEA. The entitys monitoring and review
processes should encompass all aspects of the information security risk
management process for the purposes of:
o Ensuring that controls are effective in the risk management they are
achieving.
o Integrating new information to improve the risk assessment and/or
treatment.
o Analyzing and learning lessons from events (including near-misses),
changes, trends, successes and failures.
o Detecting changes in the external and internal context, including changes to
risk criteria and the risk itself, which can require revision of risk treatments
and priorities.
o Vulnerability Assessment are conducted frequently even after
implementing security controls to identify emerging risks, new threats,
trends, etc.
Risk communication / reporting defines the process to communicate and report
the progress of the overall information security program between external parties
like NESA, CIIP Sector Working Group, Sector Regulator and internally within the
Organization.
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 7 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
purpose of risk monitoring and reporting the Roles and responsibilities section
(4.2.3) within this document serves this purpose.
7.1.1.1.2 Establish Risk Monitoring Scope
Monitoring and review shall be a planned part of the Risk Treatment Plan and
involve regular checking, surveillance and updates to ADWEAs Risk Treatment
Plans. Monitoring shall be a continuous process to identify any changes relevant to
information security risk management.
7.1.1.1.3 Establish Schedule
As monitoring will be an ongoing process, the ADWEA shall execute these tasks at
least once every quarter, according to defined roles and responsibilities. The
ADWEA will report progress of the treatment activities as defined by the Sector
Regulator.
7.1.1.1.4 Establish KPIs
To have measurable data for assessing ADWEA maturity level, the KPIs as
described in Table below shall be analyzed and reported. The results shall be
incorporated into ADWEAs overall performance management, measurement, and
external and internal reporting activities.
KPI Description
4 - Mean score for P2, P3 and P4 Mean score of Risk Ratings for P2, P3 and P4 controls.
controls
5 - Percent change from last report for Percentage change of Risk Ratings from last report in P2, P3 and
P2, P3 and P4 controls. P4 controls.
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 8 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 9 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 10 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
NESA will communicate threat intelligence involving CII Sectors, and lead, through
inter- sector and international communications, on threat intelligence and best
practices information sharing as deemed appropriate
7.1.1.6.2.2 Developing Sector Improvement Plan
Sector Regulators will consolidate all the Risk Assessment Major Findings from
ADWEA CII Operator Report and send them to NESA. The major findings
applicable to more than one entity within the same sector are also sent to the CIIP
Working Group, along with prioritized recommendations for their treatment.
Sector Regulator and NESA will re-calculate ADWEAs risks ratings, taking into
account the Sectors and National Risk Measurement Criteria, which is detailed in
NCRMF Volume 2, and include them in the consolidated report.
With this information CIIP Sector Working Groups will, together with NESA,
elaborate a Sector Improvement Plan report containing:
o Sector-wide threat list.
o Sector-wide risk trends.
o Sector-wide maturity in context of cyber security management.
o Treatment tasks to be accomplished.
o Resources required to accomplish the tasks.
o Milestones required to meet the tasks.
o The scheduled completion dates for the milestones.
o Reporting of the Sector Improvement Plan.
o Updated KPIs.
7.1.1.6.2.3 Monitoring of Sector Improvement Plan Implementation
The Sector Regulator, with the CIIP Sector Working Group, will monitor the
implementation of the Sector Improvement Plan and report its progress back to
NESA. The Sector Regulator will report the following on a regular basis:
Current state of the Sector Improvement Plan, including, but not limited to:
o Completion Status and Milestone update.
o Risks and Issues.
o Constraints.
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 11 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
The section below outlines the roles and responsibilities associated with the risk
monitoring , review and reporting process. It is categorized primarily under internal
monitoring and reporting and specific to external reporting requirements.
ISGC (Information Security Leadership team from all Overall responsibility for risk
Governance Committee)
concerned business units or management.
departments. Confirm monitoring goals and
objectives with Sector Regulator.
Review risks to the business on an
ongoing basis.
Track CII risk management activities.
Report Risk Assessments and
Treatment progress to Sector Regulator
and NESA.
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 12 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
Teams Responsibilities
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 13 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
11 REFERENCES
Item Description
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 14 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
12 APPENDICES
12.1 Definitions
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
ITGOVERNANCE X X X
Page 15 of 15
INFORMATIONSECURITYRISK Approval Stamp.
Chairman:
MONITORING&REPORTING
nature
Risk management set of components that provide the foundations
framework and organizational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management
throughout the organization
Risk management statement of the overall intentions and direction
policy of an organization related to risk management
Risk owner person or entity with the accountability and
authority to manage a risk
Stakeholder person or organization that can affect, be
affected by, or perceive themselves to be affected
by a decision or activity
Level of risk magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk risk remaining after risk treatment
Level of risk: magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation: process of comparing the results of risk analysis
with risk criteria to determine whether the risk
and/or its magnitude is acceptable or tolerable
Residual risk: risk remaining after risk treatment
ThisdocumentisthepropertyofADWEAandcannotbeusednorprovidedtooutsidepartywithoutpriorauthorization.