- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
NCSC Launches Cyber Risk Management Toolbox
The National Cyber Security Centre (NCSC) has launched refreshed guidance on cyber risk management designed to make its advice more accessible and customizable, even for those new to the discipline.
Drawn up with feedback from users, research from the NCSC’s “sociotechnical and risk group” and practical experience of working on risk management problems, the guidance now has three new sections:
- A new eight-step cybersecurity risk management framework designed to help readers understand what a good approach looks like in their organization
- A cybersecurity risk management “toolbox,” which will grow over time as new techniques emerge. It currently includes sections on using attack trees, threat modeling and cybersecurity scenarios
- A basic risk assessment and management method for readers new to risk management or those with simple requirements. It takes its cue from the “bottom up and component driven approaches” promoted by NIST and ISO
The NCSC has also revived an assurance model from one of its deprecated “good practice guides.”
Read more on risk management: Global Firms Fear the Worst Over Risk Management Failures
“We’ve done this is to help you understand how you can gain and maintain assurance in the products, systems, and services you use,” the agency explained.
“Whilst the four assurance mechanisms in the CESG assurance model haven’t changed (and they all still need to be applied for an organisation to gain and maintain confidence or assurance), we have updated the list of potential assurance activities that could be used to gain and maintain intrinsic, extrinsic, operational and implementation assurance.”
Not everything is new in the guidance. There is still a heavy focus on using “component driven and system driven perspectives on risk” and utilizing a range of risk management information sources.
However, the NCSC recognized a lot has changed since the guidance was first developed five years ago – in terms of geopolitics, technology and cybersecurity.
