Measuring Control Effectiveness
John Mitchell
LHS Business Control
47 Grangewood
Potters Bar
Hertfordshire
EN6 1SL
England
© John Mitchell
PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE
Tel: +44 (0)7774 145638
john@lhscontrol.com
www.lhscontrol.com
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
CMM & ISO 15504 Levels
CMM
ISO 15504
5 – Optimised
5 - Optimised
4 – Managed and Measurable
4 – Predictable
3 – Defined
3 – Established
________________________________________
2 – Repeatable
2 - Managed
1 – Ad Hoc
1 - Performed
0 – Non existent
0 - Incomplete
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
# 2 2014
ISACA Ireland Conference – 3 Slide
October
Components of the Control Environment
Monitoring
Control
Activity
Information &
Communication
© John Mitchel
Risk
Analysis
Control
Objectives
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Generic Risk Management Process
H
i
g
h
Senior Management
Attention
Local Management
Attention
No Action
L
I
K
E
L
I
H
O
O
D
L
o
w
E
Inherent
Risk
D
Likelihood
Reduction
C
B
Residual
Risk
A
A
Low
© John Mitchel
Consequence
Reduction
B
C
CONSEQUENCE
D
E
High
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Which Risk
Would You Want Assurance Over?
Inherent Risk
Controls
Risk 1
None
Risk 2
Some
Risk 3
Lots
© John Mitchel
Residual
Risk
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
What Is This Control Stuff?
Anything which monitors or modifies a process to ensure its
predictability
A control is basically a test against a prediction
You can only test for what you can predict
Sometimes the prediction is absolute
(gender must be ‘F’)
Sometimes the prediction is variable
(within the range of 50 to 50,000)
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Control Classifications
Class
Ability to detect the event and take recovery action
1
Prevents the event, or detects it as it happens and prevents further
impact
2
Detects the event and reacts fast enough to fix it well within the
specified time window
3
Detects the event and reacts just fast enough to fix it within the
specified time window
4
Detects the event but cannot react fast enough to fix it within the
specified time window
5
Fails to detect the event but has a partially deployed business
continuity plan
6
Fails to detect the event but does have a business continuity plan
7
Fails to detect the event and does not have a business continuity
plan
© John Mitchel
Source: D Brewer & W List
Type
Preventive
Detective
Reactive
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Anatomy of a Control
Design
Implementation
Monitoring
Evaluation
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Measuring Control Design
How well the control should work, in theory, if it is always
applied in the way intended:
3 – designed to reduce risk aspect entirely
2 – designed to reduce most aspects of risk
1 – designed to reduce some areas of risk
0 – very limited or badly designed, even where used correctly
provides little or no protection
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Measuring Control Implementation
The way in which the control performs in practice:
3 – control is always applied as intended
2 – control is generally operational but on occasions is not
applied as intended
1 – control is sometimes correctly applied
0 – control is not applied or applied incorrectly
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Measuring Control Monitoring
How we know that the control is continuing to operate
(embedded monitor):
3 – operation is always monitored
2 – operation is usually monitored, but on occasions is not
1 – operation is monitored on an ad-hoc basis
0 – operation is not monitored at all
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Measuring Control Evaluation
How frequently control effectiveness & efficiency is
evaluated:
3 – control is regularly evaluated for effectiveness/efficiency
2 – control is occasionally evaluated for
effectiveness/efficiency
1 – control is evaluated very infrequently
0 – control is never evaluated
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Scoring Control Effectiveness Example
(No Weighting)
Apply DIME:
Design
Implementation
Monitoring
Evaluation
= 2 (3)
= 3 (3)
= 2 (3)
= 1 (3)
TOTAL
= 8 (12) = 0.75 (75% total effectiveness)
NOTE: If either Design, or Implementation is zero then
total score becomes zero
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Risk & Control Documentation
LHS Business Control
47 Grangewood, Potters Bar, EN6 1SL, England
+44 (0)1707 851454
csa@lhscontrol.com
www.lhscontrol.com
RISK & CONTROL DOCUMENTATION
Company:
Division:
Location:
Score the Effectiveness of the
Controls in Mitigating the Risk
N/A
1
2
3
4
5
Business Area/Activity:
A
Controls for managing the risk of
B
As a minimum these should include the
following standard controls
Is it performed?
Contr.
Class
Contr.
Score
N/A
Yes
Who/what performs it?
How
Often?
How is it evidenced?
Who/what performs it?
How
How is it evidenced?
Who/what will perform
it?
How
Often?
How will it be evidenced?
No
1) Control 1
2) Control 2
3) Control 3
4) Control 4
C
Where the answer to a minimum requirement is
NO:
Is it performed?
Contr.
Class
Please give details of any alternative controls
providing assurance
D
Where the score for control effectiveness is < 3
Please detail the control which is to be
implemented to improve the result
© John Mitchel
Contr.
Score
N/A
Contr.
Class
Yes
No
Proposed
Implementation
Date
Pot.
Score
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Assessing Overall
Control Effectiveness
Analyse each control to arrive at an overall score for all of
the controls mitigating a risk
1 = Poor level of control - management attention required
2 = Very basic control - enhancement required
3 = Adequate level of control - scope for improved
effectiveness
4 = Good control - scope for increased efficiency
5 = Excellent control - no improvement possible
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Control Effectiveness Reporting
H
i
g
h
L
I
K
E
L
I
H
O
O
D
L
o
w
E
8
D
2,18
C
16
B
1
A
Low
B
C
CONSEQUENCE
12
12) Power
Loss
14) 3rd Party
Support
17
A
© John Mitchel
3,4,5,6,7,9,
10,11,13,14
15
D
15) Loss of
Data Centre
E
High
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Graphical Representation
(Multiple Risk Areas)
Changes in control over the Internet
4.5
3.5
2.5
1.5
0.5
2010
© John Mitchel
2012
2013
M/F Ops.
Network
Disaster Rec.
Change Control
Internet
EPOS
HR
EDI
Sys. Dev.
Sys. Maint.
Help Desk
Mngt. Info.
Cap. Plan.
Tech. Support
17
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Summary

Whether you use CMM or ISO 15504 you still need to assess control
effectiveness

Evaluation should be against the controls mitigating a risk

Evidence must be available that the control is effectively working

The evidence must show who/what operates the control and the
frequency of operation

Control effectiveness can be consistently assessed by applying the
DIME method
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014
Questions?
John Mitchell
PhD, MBA, CEng, CITP, FBCS, CFIIA, CISA, CGEIT, QiCA, CFE
LHS Business Control
47 Grangewood
Potters Bar
Hertfordshire EN6 1SL
England
Tel: +44 (0)7774 145638
john@lhscontrol.com
www.lhscontrol.com
© John Mitchel
GRC 2.0 - Breaking Down
The Silos
rd
ISACA Ireland Conference – 3 October 2014