A2. Risk management

Serviceteam IT Security News

Principle

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.

Description

There is no single blueprint for cyber security and therefore organisations need to take steps to determine security risks that could affect the delivery of essential services and take measures to appropriately manage those risks.

Threats can come from many sources, in and outside the organisation.  A good understanding of the threat landscape and the vulnerabilities that may be exploited is essential to effectively identify and manage risks.  Such information may come from sources including NCSC, information exchanges relevant to the organisation’s sector, and reputable government, commercial, and open sources, all of which can inform the organisation’s own risk assessment process.  Organisations may contribute to the understanding of threats and vulnerabilities in their sector by participating in relevant information exchanges and liaising with authorities as appropriate. 

There should be a systematic process in place to ensure that identified risks are managed and the organisation has confidence mitigations are working effectively. Confidence can be gained through, for example, product assurance, monitoring, vulnerability testing, auditing and supply chain security.

Guidance

NCSC Risk Management Guidance

Our Risk Management guidance aims to help you to choose an approach that’s right for your organisation.

Operators of essential services are likely to benefit from a combination of a system-based approach, which looks at the interactions between components of the service, and a component-driven analysis, which considers the threats, vulnerabilities, and impacts relevant to particular critical components. 

 

Risk methods and frameworks

Your organisation should choose a method or framework for managing risk that fits with the organisation’s business and technology needs. The NCSC has summarised some commonly used risk methods and frameworks as a starting point.

Whichever approach you choose, the scope of your programme must include all systems relevant to the operation of essential services.  Simply following the minimum requirements of a standard or applying blanket controls across the organisation is unlikely to adequately manage risks to critical systems. 

Where industrial control and automation systems are in scope of the essential service, you should keep in mind that controls suitable for managing risks on the corporate IT network may be inappropriate or damaging in an operational technology environment. These systems will likely require a more tailored approach, and some frameworks and standards address specific concerns relating to such systems.

Cyber security assurance

Various means are available to gain confidence in the effectiveness of the security of technologies, processes and people. The NCSC assurance blog provides some examples that may be useful to understand cyber security confidence in your organisation and there are some specific technical NCSC guides:

NCSC Penetration testing guidance

This guidance will help you understand the proper use and commissioning of penetration tests to gain assurance in the security of an IT system. Operators should carefully consider their approach to the testing of live Operational Technology, as  system operation or availability could be affected. Assurance could be gained without this additional risk by testing against non-operational environments or by testing individual components in a laboratory environment. 

NCSC Cloud Security Collection: Having confidence in cyber security

Our Cloud Security Collection provides guidance on managing the risks involved with using cloud services, and some of the principles and guidance are more broadly applicable. The cloud guidance for having confidence in cyber security provides principles that are useful for assuring cyber security effectiveness of essential services. The collection will be of particular interest if your organisation hosts any part of your essential service infrastructure on a cloud service.

References

NCSC Risk Management Guidance

NCSC Assurance Blog

NCSC Penetration Testing Guidance

NCSC Cloud Security Collection: Having confidence in cyber security

Risk frameworks and methods

< Back to Principle A1                  Forward to Principle A3 >

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News AFL players call for data protection overhaul as concerns include drug test results
Serviceteam IT Security News Cloud Security Principle 7: Secure development
Serviceteam IT Security News What Will GDPR’s Impact Be On U.S. Consumer Privacy?
Serviceteam IT Security News Optus privacy breach: names, addresses and details revealed in sim card glitch
Serviceteam IT Security News Hacking of activists is latest in long line of cyber-attacks on Palestinians
Serviceteam IT Security News Amazon Promises Fix to Stop Key Service Hack