A series of checkpoints have been created in a document here (Made Tech only) that can be used to gauge progress through the following content whilst carrying out an assessment.
“Many modern threat management systems use the cybersecurity framework established by the National Institute of Standards and Technology (NIST). NIST provides comprehensive guidance to improve information security and cybersecurity risk management for private sector organizations. One of their guides, the NIST Cybersecurity Framework (NIST CF), consists of standards and best practices. Five primary functions make up its core structure. They are to identify, protect, detect, respond and recover.
Cybersecurity teams need a thorough understanding of the organization’s most important assets and resources. The identify function includes categories, such as asset management, business environment, governance, risk assessment, risk management strategy and supply chain risk management.
The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology.
The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, continuous security monitoring and early detection processes.
The respond function ensures an appropriate response to cyberattacks and other cybersecurity events. Categories include response planning, communications, analysis, mitigation and improvements.
See also: https://www.ibm.com/topics/threat-management
Communicating and documenting your risks
https://www.ncsc.gov.uk/collection/10-steps/risk-management
https://www.ncsc.gov.uk/collection/risk-management/a-basic-risk-assessment-and-management-method
“The scope of assessment should define the boundaries of the existing system you are assessing or the new system that is being built, and your scope should clearly define all the assets that are to be contained within it”
Also consider modelling the system scope with a scoping diagram.
“To help with this you could build a register of assets that could include (for example) the equipment, systems, services, software, information and/or processes that are critical to the successful delivery of your business objectives.”
Once you have identified a list “you should assess what the impact would be should those assets be, in some way, compromised.“
“An asset register might look something like the following table where assets and their ownership are clearly identified along with an assessment and rating of impacts.”
Asset ID | Description | Impact Assessment | Impact Rating |
---|---|---|---|
0001 | IP designs and property | Loss of designs and property would result in loss of competitive advantage | High |
“You should seek out authoritative sources of threat information that can help you understand who might seek to do you and your organisation harm, and why.”
See also : Threat Modelling
“Seek out authoritative sources of threat information that can help you understand who might seek to do you and your organisation harm, and why”
“Build an understanding of how threats might attack you and the tactics and techniques they might use against your organisation and the things you are trying to protect.
“Vulnerabilities can exist in people, processes, places and technology and these vulnerabilities may be exploited by threat actors to achieve their aims and objectives.”
“If you are not sure how to document your vulnerability analysis or have no means to rate one vulnerability against another then you could consider making use of a simple 3x3 matrix where threat exposure, exploitability, and the vulnerability itself are scored on a simple Low to High scale.”
“Combine your analysis of threat and vulnerability in some way to arrive at an assessment of how likely it is that a particular threat would make use of a particular tactic or technique to exploit a vulnerability to achieve their aims and objectives, and thereby causing an impact to occur.”
“A simple way to document and analyse likelihood in this context is to use a matrix as shown below where threat and vulnerability ratings, along with likelihood are scored and expressed on a simple Low to High scale.”
“A cyber security risk is a future event, related to the use of technology systems and services, that might have some form of impact on someone, a system, a business, or an organisation.”
Communicating and documenting your risks - “When describing risks to decision makers it is important that you communicate to them the certainty or uncertainty surrounding your analysis. Not to do so would communicate to decision makers that you are completely certain that a risk would be realised as you describe.”
“During this step you should review the whole set of risks you came up with during the previous steps and prioritise them for risk management.
See below a table that illustrates how a prioritised list of risks might be presented.”
“Where you have recommended that cyber security risk be treated using technical or non-technical controls, it is necessary to document and describe those controls, providing as far as possible guidance and information on how they could/should be implemented, a basic treatment plan may look something like this:“
Apply appropriate security controls and mitigations (consider following areas)
NCSC Make compromise detection easier
Make use of threat intelligence. Sign up to the Cyber Security Information Sharing Partnership CiSP to receive and share threat information and indicators of compromise with industry and government counterparts.