A series of checkpoints have been created in a document here (Made Tech only) that can be used to gauge progress through the following content whilst carrying out an assessment.
“Many modern threat management systems use the cybersecurity framework established by the National Institute of Standards and Technology (NIST). NIST provides comprehensive guidance to improve information security and cybersecurity risk management for private sector organizations. One of their guides, the NIST Cybersecurity Framework (NIST CF), consists of standards and best practices. Five primary functions make up its core structure. They are to identify, protect, detect, respond and recover.
Cybersecurity teams need a thorough understanding of the organization's most important assets and resources. The identify function includes categories, such as asset management, business environment, governance, risk assessment, risk management strategy and supply chain risk management.
The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology.
The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, continuous security monitoring and early detection processes.
The respond function ensures an appropriate response to cyberattacks and other cybersecurity events. Categories include response planning, communications, analysis, mitigation and improvements.
See also: https://www.ibm.com/topics/threat-management
- Think about the wider context in which you want to manage cyber risk.
- Think about what your organisation does, and what it cares about.
- What are the business priorities and objectives?
- Consider what governance structures are in place to manage other types of business risk.
- How does managing and communicating about cyber risk fit within those structures?
- Ensure that the organisation has adequate policies approved and owned by the board that set out the risk management strategy for the organisation as a whole
- Understand where you need to apply cyber risk management
- Think about the range of technology, systems, services and information that your organisation uses and relies on to achieve its organisational goals and priorities
- Remember to include elements that may be outside of your direct control, but are still part of your wider risk concerns
- Don’t forget to think about how people interact with technology, systems and services.
- Choose a cyber security risk management approach that is right for your organisation
- Think about what approach to cyber security risk management, or mix of approaches, is right for your organisation
- Understand that it is not always necessary to carry out a detailed risk assessment. For example, you could use a baseline such as Cyber Essentials to provide information on the basic controls needed to protect your organisation against most common internet-based attacks.
- Different methods provide different perspectives on risk.
- Understand the risks you face and how to manage them
- Use your chosen approach to identify, analyse, assess and prioritise risks and make decisions on how you are going to manage them
- Ensure you are taking into consideration a wide variety in risk information, and seek out information from experts or trusted sources of information
- Remember that if you have chosen to apply controls to manage risk, you should ensure that those controls are proportionate to the risk, usable and do not adversely affect the way the business works.
Communicating and documenting your risks
- Communicate effectively about cyber risks and cyber risk management
- Make sure that you effectively communicate your risk management approach to staff and decision makers
- Ensure that you communicate cyber risk in a way that fits in with how your organisation talks about other types of risk (such as legal or financial risk).
- Make sure you use meaningful language and fully explain any risk labels or scores you use. Using meaningless or poorly communicated labels can lead to misinterpretation and misunderstanding
- Apply and seek confidence in the controls you have chosen
- Apply the controls you’ve chosen to mitigate risk to your systems and services
- Ensure that you understand what risks remain after you have applied the controls.
- Seek confidence that the package of mitigation measures you put in place have effectively managed the risk you identified, and consider how you will maintain that confidence as your systems are used into the future.
- Continually improve your approach to risk management
- Remember that risk management is an iterative process. Technology changes, as does the business environment and their associated threats and opportunities.
- Regularly review your risks to ensure that the ways you have decided to manage them remain effective and appropriate
- You will also need to review the methods, frameworks and tools you use for risk management to ensure they continue to be effective
https://www.ncsc.gov.uk/collection/10-steps/risk-management
https://www.ncsc.gov.uk/collection/risk-management/a-basic-risk-assessment-and-management-method
“The scope of assessment should define the boundaries of the existing system you are assessing or the new system that is being built, and your scope should clearly define all the assets that are to be contained within it”
Also consider modelling the system scope with a scoping diagram.
“To help with this you could build a register of assets that could include (for example) the equipment, systems, services, software, information and/or processes that are critical to the successful delivery of your business objectives.”
Once you have identified a list “you should assess what the impact would be should those assets be, in some way, compromised.“
“An asset register might look something like the following table where assets and their ownership are clearly identified along with an assessment and rating of impacts.”
| Asset ID | Description | Impact Assessment | Impact Rating |
|---|---|---|---|
| 0001 | IP designs and property | Loss of designs and property would result in loss of competitive advantage | High |
“You should seek out authoritative sources of threat information that can help you understand who might seek to do you and your organisation harm, and why.”
See also : Threat Modelling
“Seek out authoritative sources of threat information that can help you understand who might seek to do you and your organisation harm, and why”
“Build an understanding of how threats might attack you and the tactics and techniques they might use against your organisation and the things you are trying to protect.
“Vulnerabilities can exist in people, processes, places and technology and these vulnerabilities may be exploited by threat actors to achieve their aims and objectives.”
“If you are not sure how to document your vulnerability analysis or have no means to rate one vulnerability against another then you could consider making use of a simple 3x3 matrix where threat exposure, exploitability, and the vulnerability itself are scored on a simple Low to High scale.”
“Combine your analysis of threat and vulnerability in some way to arrive at an assessment of how likely it is that a particular threat would make use of a particular tactic or technique to exploit a vulnerability to achieve their aims and objectives, and thereby causing an impact to occur.”
“A simple way to document and analyse likelihood in this context is to use a matrix as shown below where threat and vulnerability ratings, along with likelihood are scored and expressed on a simple Low to High scale.”
“A cyber security risk is a future event, related to the use of technology systems and services, that might have some form of impact on someone, a system, a business, or an organisation.”
Communicating and documenting your risks - “When describing risks to decision makers it is important that you communicate to them the certainty or uncertainty surrounding your analysis. Not to do so would communicate to decision makers that you are completely certain that a risk would be realised as you describe.”
“During this step you should review the whole set of risks you came up with during the previous steps and prioritise them for risk management.
See below a table that illustrates how a prioritised list of risks might be presented.”
“Where you have recommended that cyber security risk be treated using technical or non-technical controls, it is necessary to document and describe those controls, providing as far as possible guidance and information on how they could/should be implemented, a basic treatment plan may look something like this:“
Apply appropriate security controls and mitigations (consider following areas)
- Understand what you are building and why
- Make systems easy to maintain and update
- Make compromise and disruption difficult
- Safely develop and manage systems
- Keep your systems updated
- Develop a vulnerability management process
- Manage legacy equipment
- Develop appropriate identity and access management policies and processes
- Consider multi-factor authentication for all user accounts
- Use MFA and other mitigations for privileged accounts
Review user accounts and systems for unnecessary privileges on a regular basis, and ensure privileged accesses are revoked when no longer required.
- Protect data in accordance with the risks
- Securely sanitise storage media when no longer needed for its designated purpose
- Understand your objectives for logging and monitoring
- Make sure your logs are available for analysis when you need them”
- Make it easy to detect and investigate compromises
- Employ security monitoring to detect potential malicious behaviour
- Make sure your logs are available for analysis when you need them
- Protect your logs from tampering so that [it is] hard for an attacker to hide their tracks and you can be confident that they accurately represent what has happened.”
NCSC Make compromise detection easier
- Reduce the impact of compromise
- Backup your data
- Use your logs to generate useful insights
- Develop an incident response plan
- Stay informed
Make use of threat intelligence. Sign up to the Cyber Security Information Sharing Partnership CiSP to receive and share threat information and indicators of compromise with industry and government counterparts.
- attack.mitre.org
- NCSC - Preventing lateral movement
- NCSC - What exactly should we be logging
- What is cyber threat management
- NCSC - 10 Steps
- NCSC - Risk Management
- NCSC - Vulnerability Management
- NCSC - A basic risk assessment and management method
- IBM - Threat Management
- NCSC - Risk management for cyber security