Organisations are strongly encouraged to use a scale of between 1 and 5 to determine both likelihood and impact when assessing cybersecurity risks. By doing so, organisations can aid CSA in aggregating and viewing cybersecurity risks at the national level consistently. This enables CSA to identify and alert organisations of any systemic risks (at both sectoral and national level) which they could be exposed to.  

The practices prescribed in the risk assessment guidance document (i.e. the Guide to Conducting Cybersecurity Risk Assessment for CII) are applicable for all cybersecurity risk assessments. Organisations are strongly encouraged to reference the risk assessment guidance document when performing TRAs. 

The Guide to Conducting Cybersecurity Risk Assessment for CII is publicly available for anyone interested in adopting the good practices of conducting a cybersecurity risk assessment. An e-version of this risk assessment guidance document can be downloaded from CSA’s website (https://www.csa.gov.sg/legislation/supplementary-references). 

Organisations are encouraged to share their risk assessment methodologies with CSA so that we can assess its suitability and consider incorporating the relevant components into the next version of the risk assessment guidance document. 

CSA recognises that it takes time for organisations to adopt and integrate all the prescribed practices into their organisational risk management framework. Organisations should adopt the practices in their subsequent risk assessments progressively. Should organisations face challenges adopting the practices, they may provide feedback on the challenges faced to CII_Supervision@csa.gov.sg.

Organisations are not required to perform another risk assessment to incorporate the risk assessment practices retrospectively. However, organisations should adopt the prescribed practices in their subsequent risk assessments.

CSA will focus on reviewing cybersecurity-related risks. As such, organisations should place emphasis on identifying risk scenarios (i.e. “what could go wrong” events) that relate to cybersecurity threats. Organisations may include risk scenarios relating to physical threats such as natural disasters and hardware failure.

A compliance-based approach towards risk assessment drives a “checklist” behaviour, which might give organisations a false sense of security that they are not exposed to any risks, as long as they fulfil all compliance requirements. 

Every organisation is unique. Organisations must identify their assets before identifying threat events that could exploit the vulnerabilities, for each asset. Risk scenarios should then be constructed to identify “what could go wrong” scenarios that provide realistic and relatable view of risks based on the business context, system environment and pertinent threats.

Risk assessment is about identifying “what could go wrong” events (i.e. risk scenarios) and determining their likelihood and impact to your organisation. While organisations may have measures in place to isolate their systems from external environments, there is still a possibility of the measures failing and external threat actors could then gain access to the systems. Hence, external threats are still relevant and need to be considered when identifying risk scenarios. 

‘Residual Risk’ refers to the risk after implementation of treatment plan (i.e. current risk with additional measures), while ‘Current Risk’ is the risk level, after taking into account existing measures that have been applied. 

A SIL-rated system means that the system is assessed to meet a specific level of safety performance. While SIL ratings are representative of safety and reliability, they are often derived without taking into consideration adversarial threats in the cybersecurity realm. Hence, a cybersecurity risk assessment on the system is still necessary to account for cybersecurity risk scenarios.

Assets of the same function and configuration (e.g. High-Availability server cluster) within the same network segment are often of similar or identical security profiles. As such, organisations may group these assets together when identifying risk scenarios. However, organisations should be mindful that assets of the same function with different security profiles (e.g. different network segments, different configurations) may have varying risk scenarios and it may not be appropriate to group them together.

Feedback would not be provided for the initial risk assessment submission. Many organisations were observed to have the same problems in their initial risk assessment submissions (i.e. risk assessment reports submitted within the first 6 months of CII designation). These common problems are highlighted in the risk assessment guidance document and serve as a general feedback to all organisations:

(i) Poor articulation of risk scenarios;

(ii) Identification of risks using a compliance-oriented approach;

(iii) Absence of risk tolerance;

(iv) Determining risk likelihood based on historical or expected occurrences; and

(v) Treating risks with irrelevant controls/measures.

Organisations should expect individual feedback in their subsequent risk assessment submissions.