Risk Workshops and Governance
But how does this help with the CAF? Firstly, any good risk assessment sets up the context, involving the stakeholders and those who need to be informed of the outcome. This allows one to identify the governance (CAF A1) structure required and name responsible individuals and risk owners. To help with the context it is always best to include some user input. With the stakeholders, users and risk owners attending an on-site or virtual workshop, lessons learnt, incidents from the past, real fears and worries can be put in the melting-pot and risks can be prioritised. This covers the last part of the CAF, D2. The outcomes between A2 and D2 involve controls. Choosing, selecting and investing in controls will follow analysis of lessons learnt in the risk assessment. The risk workshop can give a sense of priority, which are the real concerns can be targeted and equally one can identify the ‘low hanging fruit’, those quick wins, low cost achievements that will show progress and drive momentum. It also provides a view of the opportunity risk – the business opportunities to be exploited, why some actions are followed and some are not, which risks can be tolerated for the greater business good – what is the risk appetite? The risk workshop should look at any system vulnerabilities and discuss who or what has the opportunity, capability, and reason to exploit those vulnerabilities. This helps to decide whether, or in what proportion, defence is required against the disgruntled insider threat or the external cyber hacker. The potential that the external cyber hacker can exploit the insider and force the insider to be the attacker, through no wish of their own should be discussed. Maybe a whaling or phishing attack, maybe ransomware, causes the insider to deviate, make a mistake, let in an attack or even to deliberately, having been compromised, contribute to an attack? Where we decide in the workshop that these hybrid attacks have happened, could happen and at what impact, then we need to prioritise, both against the insider and the cyber-attack. As part of the exercise, it is time to proceed to risk management. The risk management documentation must come out with the applicable controls to counter prioritised threats, making an argued security case that with controls introduced result in a small residual risk that fits within the corporate risk appetite.
Using Teams, Google, Skype and Zoom
In the current, isolation-centric conditions, the risk workshop fits well. It can be preceded with the ‘Delphi’ technique (see ISO 27005:2018) where the coordinator sends out pre-prepared questionnaires to invited users and stakeholders. The answers give context and allow the workshop to be structured. It can be done by video link, using Skype, Google or if you are lucky, Microsoft Teams, even Zoom! Considerations should be given to the security – the confidentiality and thought given to maximum participations. Perhaps the key word is ‘structured’ as in SWIFT (see ISO 27005:2018) which stands for ‘structured what-if technique’. Give the workshop an agenda, a medium for demonstrating (whiteboarding?) ideas and recording these. Keeping a record is essential as the findings become evidence to support decisions of prioritisation in selecting appropriate, applicable controls from the NIS CAF. Remember that the CAF is about outcomes and there are many ways perhaps of achieving the same outcome. There are physical, personal, procedural, and technical controls to choose from and many different suppliers offering to help – with various degrees of help and quite extreme differences in investment required. Remember also that senior stakeholders, those with responsibility for security but also the resources (and cash) to commit, need to be convinced that their investment will reduce their risk, their potential bottom line.
Compliance and Continual Improvement
Of course. to comply with the NIS CAF there are mandatory conditions/outcomes to be achieved. Access to critical systems has to be controlled and information assets in these systems need to be effectively managed. Anomaly detection and protective monitoring have to be put in place to detect, deter and defend against insider and cyber-attack. A security awareness programme is essential if you are to prevent enemies exploiting your internal resources and an incident response and back-up plan need to be enforced. But how these outcomes are achieved is up to the individual operating company and the best way to map these, in context and driven by the business is with the structured discussion in a SWIFT workshop. But this is not the end. The final outcome of the NIS CAF – Lessons Leant – fits well with the ISO/IEC 27001:2013 for continual improvement. The SWIFT workshop can fulfil the ISO command to PLAN, DO, CHECK, ACT. Part of the governance should be to continually review progress, not just in complying with the CAF but in defeating the cyber threat. Monthly security working groups are required and annual risk assessments, helped by SWIFT should become the norm.
By Joe Ferguson, NCSC Certified Cyber Practitioner and Senior Information Risk Analyst