Variety of data sources is required to measure and monitor the risk. Following are some of the important source of data collection:

Logs

Analysis of the log data is very important to determine the level of security violations. It helps in forensic investigations. It helps to take corrective action by strengthening controls wherever required.

Determining the level of log capturing is very crucial. If a high level of data is captured for log monitoring, it may impact system speed. On the other hand, if some important events are not captured then it may be difficult to notice significant individual events.

For forensic purposes, time synchronization of log entries is of utmost importance to correlate multiple events.

Risk practitioners should ensure that logs should be allowed as read only mode. It should not be allowed to be altered or deleted. System administrators with responsibility for systems or applications should generally not have the ability to alter or delete logs made against their own scopes of responsibility.

Objective of capturing a log is to do follow up investigation for suspected attempts. Results of investigation help in taking various preventive and corrective action. Mere capturing the logs or generating the reports will not serve the ultimate purpose. Hence most useful metrics for measuring the success of log monitoring is to determine percentage or number of suspected attempts investigated. If organizations do not investigate and keep only capturing the log, the ultimate objective of log capturing is not achieved. The most useful metric is one that measures the degree to which complete follow-through has taken place.

Security Information and Event Management

Capturing of the log will not be meaningful unless it is analyzed to gain some insight. Manual review of the log is not feasible in a complex environment.

Security information and event management (SIEM) system collects the data from various sources and analyzes the same for possible security events.

The SIEM system has capability to detect the attacks by signature or behavior (heuristics) based analysis. SIEM has capability for granular assessment. SIEM can highlight the developing trends and can alert the risk practitioner for immediate response.

SIEM is the most effective method to determine the aggregate risk from different sources.

Fictitious entity is created in a LIVE environment. As the live environment is used, there is no need to create separate test processes. However, careful planning is necessary and test data must be isolated from production data.

Auditors can enter dummy or test transactions and verify the processing and results of these transactions for correctness.

Processed results and expected results are compared to verify that systems are operating correctly.

Example: A dummy asset of $ 100000/- is entered into the system to verify whether the same is being capitalized under the correct head and depreciation is calculated properly as per correct rate. Subsequently this dummy transaction is removed after verification of system controls.

Risk practitioner can also use external sources to gain additional insight such as:

CRISC Questions	Possible Answer
Most important metric to determine effectiveness of log monitoring	Number of attacks investigated
Which system determines the aggregated risk from several sources?	Security information and event management (SIEM) system