Skip to main content

4.3 Data collection and extraction tools and techniques


4.3 Data collection and extraction tools and techniques

4.3 Data collection and extraction tools and techniques


Variety of data sources is required to measure and monitor the risk. Following are some of the important source of data collection:


  • Risk assessment reports

  • Project related documents like UAT, post implementation reviews etc.

  • Incident management database

  • IT helpdesk database

  • Audit reports

  • Security assessment reports

  • Event and activity logs


Logs



  • Analysis of the log data is very important to determine the level of security violations. It helps in forensic investigations. It helps to take corrective action by strengthening controls wherever required.


  • Determining the level of log capturing is very crucial. If a high level of data is captured for log monitoring, it may impact system speed. On the other hand, if some important events are not captured then it may be difficult to notice significant individual events.


  • For forensic purposes, time synchronization of log entries is of utmost importance to correlate multiple events.


  • Risk practitioners should ensure that logs should be allowed as read only mode. It should not be allowed to be altered or deleted. System administrators with responsibility for systems or applications should generally not have the ability to alter or delete logs made against their own scopes of responsibility.


  • Objective of capturing a log is to do follow up investigation for suspected attempts. Results of investigation help in taking various preventive and corrective action. Mere capturing the logs or generating the reports will not serve the ultimate purpose. Hence most useful metrics for measuring the success of log monitoring is to determine percentage or number of suspected attempts investigated. If organizations do not investigate and keep only capturing the log, the ultimate objective of log capturing is not achieved. The most useful metric is one that measures the degree to which complete follow-through has taken place.


Security Information and Event Management


  • Capturing of the log will not be meaningful unless it is analyzed to gain some insight. Manual review of the log is not feasible in a complex environment.


  • Security information and event management (SIEM) system collects the data from various sources and analyzes the same for possible security events.


  • The SIEM system has capability to detect the attacks by signature or behavior (heuristics) based analysis. SIEM has capability for granular assessment. SIEM can highlight the developing trends and can alert the risk practitioner for immediate response.


  • SIEM is the most effective method to determine the aggregate risk from different sources.


Integrated Test Facilities


  • Fictitious entity is created in a LIVE environment. As the live environment is used, there is no need to create separate test processes. However, careful planning is necessary and test data must be isolated from production data.


  • This technique allows the auditor to open a dummy account.


  • Auditors can enter dummy or test transactions and verify the processing and results of these transactions for correctness.


  • Processed results and expected results are compared to verify that systems are operating correctly.


  • Example: A dummy asset of $ 100000/- is entered into the system to verify whether the same is being capitalized under the correct head and depreciation is calculated properly as per correct rate. Subsequently this dummy transaction is removed after verification of system controls.


External Sources of Information


Risk practitioner can also use external sources to gain additional insight such as:


  • Computer emergency response team (CERT) advisories

  • Media reports

  • Report from security agencies and other concerned bodies

  • Report from regulatory bodies



Key aspects from CRISC exam perspective



CRISC Questions 

Possible Answer 

Most important metric to determine effectiveness of log monitoring

Number of  attacks investigated


Which system  determines the aggregated risk from several sources?

Security information and event management (SIEM) system


 

Self-Assessment Questions


Flashcards - 4.3 Data collection and extraction tools and techniques


Practice Questions - 4.3 Data collection and extraction tools and techniques




Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more