Quick Start – User Guide
Introduction
nCyRisk is a Software as a Service that facilitates a self-assessment by an organization of its vulnerabilities to cyber risks.
LOGGING IN
Once the subscription documentation has been returned to nCybr Inc, the users get loaded and a username is assigned. Each User is sent a confirmation email that they have been loaded.
The log in domain is: https://www.ncyrisk.com
Click on “Login”
When logging in for the first time, click on “Reset Password”.
The system will prompt for the “User Name” as well as the “Email Address”. If these are as recorded in the system, an email is sent to the User with the link for the User to set their own Password.
NAVIGATION
The menu bar is along the top of the Product. By Clicking on these you access their respective functionalities.
DEFINE:
“Define Assets” – The IT Assets are refined to reflect those of the organisation.
“Threat Environment” – The Inherent Threats can be refined to reflect the Industry of the Organisation
“Define Compliance Report” – The details are customised for inclusion in the “compliance report”
CONTROLS ASSESSMENT:
“Directory” – The full listing by Category and Sub-Category of Controls
“Control Assessment” – The existence and application of the control is ‘self-assessed’.
DASHBOARD:
Overview of Completeness of review, highest Risks, highest Threats, and next recommended Remediation Controls
REVIEW:
The capability to review Lists of Risk, Threats & Remediation Controls
REPORTS:
Compliance Reports that are Standards based (ISO 27002, NIST 800-53, NIST CSF, CIS)
Remediation Controls based on a Standard
Controls Commentary
Report of Remediation action steps
EXPLANATORY NOTE
- The framework of nCyRisk is based on ENISA.
- Cyber Threats considered together with the organisations Assets inform the Risk Listing.
- nCyRisk has the related Threats mapped to the Assets to which they apply.
- Controls have been mapped to all the Threats that are mitigated by their implementation.
- Thus by performing a Controls review, thereby identifying control deficiencies, nCyRisk can calculate the Threat vulnerability.
- The Threat considered with the Assets of the Organisation calculate the greatest Cyber Risk that is facing the Organisation.
DEFINE ASSETS
- A full listing of assets is presented
- Every asset is included and has a default of ‘catastrophic’ where it were to be compromised for a longer period of time.
- Click on the ‘pencil’ to access the ‘edit’ functionality for each individual asset.
- Click the ‘tick’ to ‘exclude’ the asset or to ‘include’ it again, if previously excluded
- Click the ‘dropdown’ to select the ‘loss impact’ where the asset were to be compromised
- Asset descriptions and asset values can be captured for added clarity
CONTROLS ASSESSMENT
- Click on “Directory” to have an overview of the Categories and Sub Categories of the Controls
- Click on “Control Assessment” to access the ‘self-assessment’ functionality
- Per Category and Sub-category, the controls are presented
- The User first identifies whether the control exists / has been implemented in the organisation
- By clicking “Yes”, the prompt appears for “Quality” and “Maturity”
- The combination of “Quality” and “Maturity” (degree of implementation) indicates the effectiveness of the control. Ie “High” and “High” would indicate that the control is optimally effective.
OPTION:
The Client can opt to first review “Primary Controls” ahead of also reviewing “Secondary Controls”. The Organisation would seek to prioritise implementing all Primary Controls first.
COMPLIANCE BY STANDARD
By having completed a Controls Review, and by the Controls being mapped to Cyber Security Standards (NIST, ISO27002, CSF or CIS), a related Compliance Report can be drawn per Standard.
By clicking on the tab “Reports” the dropdown reflects the Standards that can be reported on.
By clicking on the respective Standard, nCyRisk presents a compliance table of the Controls “Applied”, “Partially Applied” or “Not Applied”.
RECOMMENDED REMEDIATION BY STANDARD
The table is an analysis of the application of controls. The manner for improvement would entail continual remediation of controls from the column “Partially Applied” and “Not Applied” to the “Applied” column. The intelligence sought would be “What is the next best Control to remediate per Standard Category?”
By clicking on the tab “Reports” and selecting “Compliance Remediation Report” , nCyRisk produces the a report of the next recommended Control to be considered for Remediation by Category.
The Standard is selected from a dropdown ‘Framework’. Once selected click ‘View Report’.
The numeric before the Control description is the Controls ranking under that Category of the Standard, ie “1” means that it is the highest ranked Control under that Category.
PRODUCING A COMPLIANCE REPORT
The Compliance report provides assurance by the extent to which Controls have been applied in relation to the required Standard. The Report is customised per client.
Click on the tab “Define” and select “Define Compliance Report”
- First add the ‘Custodian’ of the Controls Review by clicking on the ‘plus’ icon.
- Enter details and click the ‘tick’ to save.
- Enter the balance of the customised details that gets applied into the Report
Click “Update” to update the Compliance Report.
To produce the Report, click the tab “Reports”, select the Compliance Standard from the dropdown.
Click on the dropdown “Save” button and select the PDF to create a printable version
