Cyber Security Risk Assessment (NCSC Assured Training)

Atlas Analytics Cyber Security Risk Assessment

Welcome to this pre-reading for attendees of Atlas Analytics’ Cyber Security Risk Assessment course, Assured Training in association with the UK's National Cyber Security Centre (NCSC).

This accredited, professional learning experience follows stages of the NCSC Basic Risk Assessment and Management Method, and is a practical, interactive risk assessment workshop for anyone with an interest in cyber security. You may be new to the topic or have some awareness, and need to better understand what cyber security risk is and how to communicate its potential impact on business operations. You aspire to produce a range of insights, products, and decisions as part of your duties to support risk analysis and assessment to underpin best-practice cyber security. Your learning will be put to the test during demanding but enjoyable group exercises that will challenge you to produce robust assessments, which your peers will constructively critique in a professional, collaborative environment.

1: Objectives:

By the end of this workshop, you will be able to:

  • Understand and correctly use common risk terminology as per “Risk Management & Governance” in the Cyber Body of Knowledge (CyBOK);

  • Complete a Risk Register with a minimum of three cyber security risks fully documented and with controls suggested.

2: What is Cyber Security?

The UK's NCSC defines cyber security's core function as being "To protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage." It is further concerned with "Preventing unauthorised access to the vast amounts of personal information we store on these devices, and online."

3: What is Risk?

NCSC approves of several definitions of risk, one of them being from the Treasury Orange Book; “Risk is the effect of uncertainty on objectives. Risk is usually expressed in terms of causes, potential events, and their consequence”. Another is from the NCSC glossary: “Possible future outcomes that we can describe in terms of their chances of occurrence, and the impact they would have if realised.”

4: About The CyBOK

The Cyber Security Body of Knowledge (CyBOK), launched by the National Cyber Security Centre, codifies key cyber security concepts based on established literature. Rather than duplicating all existing materials, CyBOK maps out foundational knowledge to support the development of educational programmes at various levels.

CyBOK says: “The CyBOK has 19 Knowledge Areas (KAs). Each KA assumes a baseline agreement on the overall vocabulary, goals, and approaches to cyber security. Although its owners have necessarily divided the CyBOK into a number of discrete KAs, it is clear that there are many inter-relationships among them. Those with professional responsibility for one area must typically have at least a moderate grasp of the adjacent topics; someone responsible for architecting a secure system must understand many.”

Action: Consider the CyBOK diagram and decide where your experience and expertise lie. Also, where do you want to gain experience and expertise in the future? Be ready to introduce yourself to fellow attendees by explaining which areas you have experience of or interest in.

5: Security Concepts and Relationships

The Security Concepts and Relationships image below is made by ISACA. You can see that risk is intrinsically linked to other factors like assets, vulnerabilities, threat agents, and more. Therefore, robust, relevant risk assessment cannot be conducted if you do not have a sufficient knowledge of them. This workshop will ensure you are able to consider them with sufficient guidance provided.

Action: Consider the Security Concepts and Relationships diagram and decide where your experience and expertise lie. Are there areas that you do not have experience or knowledge of? Also, where do you want to gain experience and expertise in the future? Be ready to share insights with fellow attendees in the course.

6: Risk Assessment Processes: NIST and ISO/IEC

The images below show two other risk assessment processes: NIST SP-800-30, and ISO/IEC 27005. We will not be following these processes during the workshop, but they are included for awareness, and the red box on each indicates the steps from each that are comparable to the NCSC process.

7: Risk Assessment Processes

The image below shows the NCSC approach, and the red box indicates the steps that we will cover on the course (with information provided on steps 10 and 11 also).

8: Next Steps

That is the end of the pre-reading, and we look forward to working with you during the course. Before then, it will be helpful to keep a watchful eye on reputable news outlets for stories relating to cyber security, in case they are useful for discussions and the benefit of others on the course.

 

Please note: The APMG International and swirl device logo is a trade mark of the APM Group Limited, used under permission of The APM Group Limited. All rights reserved.

Overview of personal data protection

We use cookies to ensure that we give you the best user experience on our website. The information about cookie files is stored in your browser and help recognize you when you come back to our site. They also help our team understand which parts of our website are the most interesting and useful.