Quick Start – User Guide

Introduction

nCyRisk is a Software as a Service that facilitates a self-assessment by an organization of its vulnerabilities to cyber risks.

OUTCOMES

Board intelligence of cyber risks and threats in terminology that the Board and EXCO can understand.

A compliance report produced by the standard of choice (NIST, ISO27002, CSF or CIS)

A Remediation listing sequenced by prioritized controls that provide the greatest risk mitigation results.

LOGGING IN

 

Once the subscription documentation has been returned to nCybr Inc, the users get loaded and a username is assigned. Each User is sent a confirmation email that they have been loaded.

 

The log in domain is:      https://www.ncyrisk.com

 

Click on “Login”

 

When logging in for the first time, click on “Reset Password”.

 

The system will prompt for the “User Name” as well as the “Email Address”. If these are as recorded in the system, an email is sent to the User with the link for the User to set their own Password.

NAVIGATION

 

The menu bar is along the top of the Product. By Clicking on these you access their respective functionalities.

 

DEFINE:

“Define Assets” – The IT Assets are refined to reflect those of the organisation.

“Threat Environment” – The Inherent Threats can be refined to reflect the Industry of the Organisation

“Define Compliance Report” – The details are customised for inclusion in the “compliance report”

 

CONTROLS ASSESSMENT:

“Directory” – The full listing by Category and Sub-Category of Controls

“Control Assessment” – The existence and application of the control is ‘self-assessed’.

 

DASHBOARD:

Overview of Completeness of review, highest Risks, highest Threats, and next recommended Remediation Controls

 

REVIEW:

The capability to review Lists of Risk, Threats & Remediation Controls

 

REPORTS:

Compliance Reports that are Standards based (ISO 27002, NIST 800-53, NIST CSF, CIS)

Remediation Controls based on a Standard

Controls Commentary

Report of Remediation action steps

 

 

EXPLANATORY NOTE

 

  • The framework of nCyRisk is based on ENISA.
  • Cyber Threats considered together with the organisations Assets inform the Risk Listing.
  • nCyRisk has the related Threats mapped to the Assets to which they apply.
  • Controls have been mapped to all the Threats that are mitigated by their implementation.
  • Thus by performing a Controls review, thereby identifying control deficiencies, nCyRisk can calculate the Threat vulnerability.
  • The Threat considered with the Assets of the Organisation calculate the greatest Cyber Risk that is facing the Organisation.

DEFINE ASSETS

 

  • A full listing of assets is presented
  • Every asset is included and has a default of ‘catastrophic’ where it were to be compromised for a longer period of time.
  • Click on the ‘pencil’ to access the ‘edit’ functionality for each individual asset.
  • Click the ‘tick’ to ‘exclude’ the asset or to ‘include’ it again, if previously excluded
  • Click the ‘dropdown’ to select the ‘loss impact’ where the asset were to be compromised
  • Asset descriptions and asset values can be captured for added clarity

CONTROLS ASSESSMENT

 

 

  • Click on “Directory” to have an overview of the Categories and Sub Categories of the Controls
  • Click on “Control Assessment” to access the ‘self-assessment’ functionality

 

 

  • Per Category and Sub-category, the controls are presented
  • The User first identifies whether the control exists / has been implemented in the organisation
  • By clicking “Yes”, the prompt appears for “Quality” and “Maturity”
  • The combination of “Quality” and “Maturity” (degree of implementation) indicates the effectiveness of the control. Ie “High” and “High” would indicate that the control is optimally effective.

 

 

OPTION:

The Client can opt to first review “Primary Controls” ahead of also reviewing “Secondary Controls”. The Organisation would seek to prioritise implementing all Primary Controls first.

COMPLIANCE BY STANDARD

 

By having completed a Controls Review, and by the Controls being mapped to Cyber Security Standards (NIST, ISO27002, CSF or CIS), a related Compliance Report can be drawn per Standard.

 

 

By clicking on the tab “Reports” the dropdown reflects the Standards that can be reported on.

 

By clicking on the respective Standard, nCyRisk presents a compliance table of the Controls “Applied”, “Partially Applied” or “Not Applied”.

 

RECOMMENDED REMEDIATION BY STANDARD

 

The table is an analysis of the application of controls. The manner for improvement would entail continual remediation of controls from the column “Partially Applied” and “Not Applied” to the “Applied” column. The intelligence sought would be “What is the next best Control to remediate per Standard Category?”

 

By clicking on the tab “Reports” and selecting “Compliance Remediation Report” , nCyRisk produces the a report of the next recommended Control to be considered for Remediation by Category.

 

The Standard is selected from a dropdown ‘Framework’. Once selected click ‘View Report’.

 

The numeric before the Control description is the Controls ranking under that Category of the Standard, ie  “1” means that it is the highest ranked Control under that Category.

 

PRODUCING A COMPLIANCE REPORT

 

The Compliance report provides assurance by the extent to which Controls have been applied in relation to the required Standard. The Report is customised per client.

 

Click on the tab “Define” and select “Define Compliance Report”

 

 

  • First add the ‘Custodian’ of the Controls Review by clicking on the ‘plus’ icon.
  • Enter details and click the ‘tick’ to save.
  • Enter the balance of the customised details that gets applied into the Report

 

 

Click “Update” to update the Compliance Report.

To produce the Report, click the tab “Reports”, select the Compliance Standard from the dropdown.

Click on the dropdown “Save” button and select the PDF to create a printable version