The National Cybersecurity Committee (NCSC) has now issued a new notification for Critical Information Infrastructure Organizations (CII Organizations) which aims to provide guidance on how to assess cyber threats and determine what level the threat may be. This will in turn determine how CII Organizations handle each threat and the security control baselines that should be implemented in their internal procedures.

The new notification details four key factors to help assess the level of a cyber threat, namely: effects to device or system; effects to information in the system; possibility of system retrieval; and effects to customers or users. However, this list is not exhaustive and other factors may also be taken into account by CII Organizations and their regulators. Furthermore, the NCSC have the authority to adjust the threat level assessed by the CII Organizations upon review of their report.

A further 4 steps have been provided in the new notification that detail the handling process and security control baselines, which are: preparation via measures for responding to and preventing cyber threats; detection and analysis of the cyber threat, including notifying the relevant authorities; containment, eradication and recovery; and post incident activity to prevent the same threat occurring in the future.

For more details on this new notification, please click on the link >> National Cybersecurity Committee announces the details on the characteristics of the cyber threats and security control baselines

The new notification details four key factors to help assess the level of a cyber threat, namely: effects to device or system; effects to information in the system; possibility of system retrieval; and effects to customers or users. However, this list is not exhaustive and other factors may also be taken into account by CII Organizations and their regulators. Furthermore, the NCSC have the authority to adjust the threat level assessed by the CII Organizations upon review of their report.