This is a guide, with supporting material, to help you assess security risks for your small to medium size IT project. It is intended for both technical and non-technical staff, at least during the early iterations, to help you understand the interplay of risk costs and benefits.
This is different from using checklists of controls or mitigations (such as NCSC’s Cyber Essentials). Checklists can be quick, easy to use, and useful, but in unusual systems and circumstances such checklists can cause more harm than good. The approach given here will show you how to rigorously approach security, with the right artefacts to engage with your security experts and auditors, for your situation.
In particular this playbook will help you comply with the UK government’s Secure By Design. It implements NIST’s Cyber Security Frameork and Risk Management Framework which are widely recognised and will be familiar to your cyber security advisors and auditors. The ready-made templates use these, but you can replace these with your own or others. These are combined into a risk assessment including likely adversary courses of action and what to monitor for, using an approach similar to western military “Intelligence Preparation of the Battlefield”.
We have provided some examples here.
This is auto-published to the Secure By Design School pages, and is maintained on github at the Secure By Design Playbook repository
Want to just get started? Go straight to the Playbook
Why SbD? Security is already designed into most systems; why do we need a concept called ‘Secure By Design’?
Why this playbook? What does this give you on top of the existing cyber security frameworks
Spirals not Cycles: Managing your assessments: Iterate - do it quickly and then again slowly, and then again at whatever detail you need.
Security Terms and Concepts: The process is outlined here with the terms used in the playbook, along with some other commonly used ones so you can see how they relate.
In principle you don’t need to be technical to run the first iteration - and it may even be more useful not to be. It will be necessary however to have someone on hand who understands the ‘space’ that you are protecting: where your assets are located, which routes they are moved down or accessed through, where the boundaries are and what the connections are between the space you are protecting and the areas around it.
You should also have someone knowledgeable who can check your assessments, both to help assure you that you are doing the right thing (or correct you if you are not in some places) and also to assure your customers that what you are delivering is suitably secure.
After the initial iterations, you will need some ways of exploring your networks so that you know what is actually stored where, and the connections and routes between locations.
For the risk assessment itself you can start with some spreadsheets which will be sufficient, and we provide some templates and examples. However as you dig deeper you will find the combinations of assets, effects, places, routes, and threats can become unwieldy. At this point we would recommend a suitable database, which will depend on what is available to you.
Help us improve: what terms here do you find alien, what would you use? What analogies or stories might you bring to help explain some concepts?
Examples and Specialist Themes
See About for links to related approaches and references