New techniques added to the NCSC’s ‘risk management toolbox’

It has been 5 years since we last updated our risk management guidance, since then a lot has changed in the worlds of global politics, technology, and cyber security.

Our aim is to provide practical advice that is relevant for modern technology systems and services. As always, our guidance is backed by our practical experience of working on the most challenging risk management problems, feedback from users, and expert research from our sociotechnical and risk group.

Some things in the guidance remain unchanged. For example, in order to effectively manage cyber security risk, it is important to https://www.ncsc.gov.uk/collection/risk-management/introducing-system-and-component-driven-risk-management-approaches” target=”_self”>use component driven and system driven perspectives on risk, and to make use of a variety of https://www.ncsc.gov.uk/collection/risk-management/risk-management-information” target=”_self”>risk management information sources.

However, this update includes three entirely new sections:

1. Firstly, we have developed an https://www.ncsc.gov.uk/collection/risk-management/cyber-security-risk-management-framework” target=”_self”>8-step cyber security risk management framework to help you understand ‘what a good approach to risk management looks like’ for your organisation. Whilst the steps in the framework use ISO/IEC 27005 as a handrail, similar activities will be found in many other risk management methods and approaches.
2. Secondly, we have introduced the idea of a cyber security risk management toolbox. We use the toolbox metaphor because there is no ‘one size fits all’ approach to risk management. You’ll need to use the most appropriate technique, or method to deal with the risk management challenge you’re facing. We expect that as new techniques emerge, the contents of this cyber security risk management toolbox will increase, but at the moment the toolbox comprises:

    • component driven and system driven approaches to risk management
    • using qualitative and quantitative risk management information
    • using threat modelling
    • using attack trees
    • using cyber security scenarios

3. Thirdly, we have introduced a https://www.ncsc.gov.uk/collection/risk-management/a-basic-risk-assessment-and-management-method” target=”_self”>basic risk assessment and management method for readers who are new to risk management, or have a very simple risk management requirement. As we explain, it’s not suitable for complicated or complex risk management scenarios, and it is not intended to be used as the ‘NCSC-approved’ risk management method. This method isn’t based on any single method, but it is similar to the (more complex) bottom up and component driven approaches recommended by NIST and the International Standards Organisation.

Finally, we’ve revived the assurance model from one of CESG’s deprecated, ‘Good Practice Guides’. We’ve done this is to help you understand https://www.ncsc.gov.uk/collection/risk-management/how-to-gain-and-maintain-assurance” target=”_self”>how you can gain and maintain assurance in the products, systems, and services you use. Whilst the four assurance mechanisms in the CESG assurance model haven’t changed (and they all still need to be applied for an organisation to gain and maintain confidence or assurance), we have updated the list of potential assurance activities that could be used to gain and maintain intrinsic, extrinsic, operational and implementation assurance.

We are already thinking about and working on further tools for the toolbox. In the meantime if you have any feedback on this guidance https://www.ncsc.gov.uk/section/about-this-website/contact-us” target=”_self”>do let us know.

Rick C & Nathan H
NCSC Government Team

Original Source: ncsc[.]gov[.]uk

---