Statement

The CIO and ISO will maintain a set of metrics to be continuously monitored, this shall include frequency of the reviews, and a manner in which they shall be reported.

Applicability

This control applies to all West Texas A&M information resources. The intended audience for this control includes all information resource owners and custodians as well as the ISO.

Implementation

The ISO shall ensure risk monitoring is part of the continuous monitoring strategy that is employed.  This shall include:

• Effectiveness monitoring to determine the ongoing effectiveness of the implemented risk response measures.
• Compliance monitoring to verify that required risk response measures are implemented.
• Change monitoring to identify changes to organizational systems and environments of operation that may affect security.