Matthew Mackay CITP MBCS, Principal Consultant at Logiq Consulting, discusses how cyber risk assessments have changed following the withdrawal of Information Standard 1 (IS1) by the National Cyber Security Centre (NCSC) for use within government projects.
A risk assessment is a fundamental process for any organisation to understand, quantify, and formally document the risks posed to the organisation. In the context of cyber, this allows an organisation to consider the systems or assets that are business critical or a key enabler, their associated vulnerability or exposure to a cyber event, and the threat to the organisation.
The aim is to reduce the residual risk to a level that is as low as reasonably practical according to the organisation’s risk appetite and available resources. It must be stressed that an organisation will not ever be risk-free, but the organisation can be in a position where these risks are proactively managed.
IS1 has been a depreciated standard for quite some time
If we are going back some time, the standard that most Information Assurance (IA) consultants used and relied on was the HMG Information Assurance Standard No.1 - most of us know this as IS1. Following a purest IA approach, this standard was used to assess the risks against the Confidentiality, Integrity, and Availability of an Information System.
The issue was that these standards did not keep up with the pace of the cyber domain and the ever-evolving threats that an organisation faced. Therefore, the NCSC decided to no longer support the standard. In the words of the NCSC:
“...it was not uncommon for decisions to be justified on the basis of accreditation, policy, or a protective marking, rather than on a sound understanding of technical security risks. This fundamental lack of understanding about risk meant that decisions were not really being made in the name of security, let alone business need.”
NCSC, though no longer supporting the documents, has retained IS1 and IS2 as legacy documents. This means that any organisation which wants, or needs, to use them can do so but NCSC stress that organisations must still achieve the right outcomes - framing cyber risk in the context of the business. The IS1 standard is still available from the National Archives’ website, but as it is no longer maintained it should be used with caution.
What is NCSC’s risk assessment guidance?
The NCSC has updated their Risk Assessment guidance to provide organisations with more flexibility to tailor the risk assessment to their organisational needs. Identifying that there is no ‘one size fits all’, the NCSC has endorsed the use of component-driven (bottom up) and system-driven (top down) risk management techniques.
A component-driven approach allows an organisation to understand the specific risks that the components within a larger system face, taking into account the impact, vulnerability and threat to the components. This allows the risks, and subsequent mitigation activity, to be prioritised accordingly to deal with the severest risks first.
A system-driven approach takes a slightly different approach by allowing the organisation to use the system’s purpose as the starting point, rather than focussing on each independent component. The emphasis on a system-driven approach, by following systems engineering-type iterative approaches, is to understand how each aspect of the system interacts and how this withstands the cyber threat.
What about the National Institute of Standards and Technology (NIST)?
There has been a move by many organisations to align themselves with the frameworks produced by NIST in the United States. These frameworks should be not be viewed as a competitor to existing standards such as ISO27001 but provide organisations with a structured way they can improve their discovery and understanding of the cyber risks they hold.
The stated purpose of NIST Special Publication 800-30 ‘Guide for Conducting Risk Assessments’ is to aid the risk assessments of US governmental information systems and organisations, aligned to other NIST publications within the 800 series. Following this risk assessment process ensures that senior leadership are empowered with the information they require to appropriately respond to identified risks.
Although the framework should be tailored to an organisation’s business needs and objectives, it provides a structured way of identifying and quantifying the threats, vulnerabilities and impacts to an organisation or system. It is for the organisation to determine whether to follow a threat, system/component, or vignette-based approach to achieve the optimal process for their purposes.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
So what?
There has been a paradigm shift away from IA and towards cyber security - the focus has moved away from just protecting information to understanding how a capability can be disrupted through cyber methods.
What this means, is that the focus from purely examining the information aspects of a capability to also fully considering the mission or business impact. For example, what impact would the denial or compromise of a programmable logic control or another form of operational technology have - here we are not protecting information per se but protecting the function that these systems perform.
Whatever approach an organisation decides to adopt, they must ensure that all risks are framed according to the business needs and furthers the security of the business.
References
- Information Risk Management: HMG IA Standard Numbers 1 & 2. National Archives
- Outcomes over process: how risk management is changing in government. Government risk management in a post IS1 & 2 world. National Cyber Security Centre.
- Risk management guidance. Component-driven and system-driven approaches. National Cyber Security Centre.
- SP 800-30 Rev. 1. Guide for Conducting Risk Assessments. National Institute of Standards and Technology.