Prepare
- Be clear about what you are assessing.
- In the software world, we are typically developing a system to be used by someone else.
- We need therefore to assess the risks the deployed system has, and also the risks to the development team. These are two different assessments.
- Have a place to register what assets you have where.
- We provide a starter spreadsheet for you to record onto, but your workplace may already have asset registers so see what already exists.
- Be able to explore and map your networks.
- To start with this can be diagrams of the main store and processing points and the links between them, or just ‘zone’ blobs.
- At some point you will need to properly check what actual equipment is where and what the actual connections are between them.
- There are various tools for this and we will cover them later, but you will probably need to draw on technical expertise too.
- Have a place to register threats.
- We provide a starter spreadsheet for you to use, but you will probably need to tailor it and add to it for your own specific situation.
- Have a ‘Risk Register’.
- Most projects should have this already, even if it is largely in people’s heads.
- You will need to transfer your Cyber Security risk assessment to business terms, so get ready to talk to speak managementese.