NCSC Launches Cyber Risk Management Toolbox


The National Cyber Security Centre (NCSC) has launched refreshed guidance on cyber risk management designed to make its advice more accessible and customizable, even for those new to the discipline.

Drawn up with feedback from users, research from the NCSC’s “sociotechnical and risk group” and practical experience of working on risk management problems, the guidance now has three new sections:

  • A new eight-step cybersecurity risk management framework designed to help readers understand what a good approach looks like in their organization
  • A cybersecurity risk management “toolbox,” which will grow over time as new techniques emerge. It currently includes sections on using attack trees, threat modeling and cybersecurity scenarios
  • A basic risk assessment and management method for readers new to risk management or those with simple requirements. It takes its cue from the “bottom up and component driven approaches” promoted by NIST and ISO

The NCSC has also revived an assurance model from one of its deprecated “good practice guides.”

Read more on risk management: Global Firms Fear the Worst Over Risk Management Failures

“We’ve done this is to help you understand how you can gain and maintain assurance in the products, systems, and services you use,” the agency explained.

“Whilst the four assurance mechanisms in the CESG assurance model haven’t changed (and they all still need to be applied for an organisation to gain and maintain confidence or assurance), we have updated the list of potential assurance activities that could be used to gain and maintain intrinsic, extrinsic, operational and implementation assurance.”

Not everything is new in the guidance. There is still a heavy focus on using “component driven and system driven perspectives on risk” and utilizing a range of risk management information sources.

However, the NCSC recognized a lot has changed since the guidance was first developed five years ago – in terms of geopolitics, technology and cybersecurity.



Source link