- CAF Objective A - Managing security risk
- Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.
- Principle: A1 Governance.
- The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
- A1.a Board Direction
- You have effective organisational security management led at board level and articulated clearly in corresponding policies.
- IGPs
- Your organisation's approach and policy relating to the security of
networks and information systems supporting the operation of
essential functions are owned and managed at board level. These are
communicated, in a meaningful way, to risk management decision-makers
across the organisation.
- Regular board discussions on the security of network and information
systems supporting the operation of your essential function take place,
based on timely and accurate information and informed by expert
guidance.
- There is a board-level individual who has overall accountability for
the security of networks and information systems and drives regular
discussion at board-level.
- Direction set at board level is translated into effective
organisational practices that direct and control the security of the
networks and information systems supporting your essential function.
- A1.b Roles and Responsibilities
- Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
- IGPs
- Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
- Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.
- There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.
- A1.c Decision-making
- You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
- IGPs
- Senior management have visibility of key risk decisions made throughout the organisation.
- Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.
- Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.
- Risk management decisions are periodically reviewed to ensure their continued relevance and validity.
- Principle: A2 Risk Management
- The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.
- A2.a Risk Management Process
- Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
- IGPs
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
- Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.
- Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.
- Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.
- The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
- Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
- You conduct risk assessments when significant events potentially affect the essential function, such as replacing a system or a change in the cyber security threat.
- Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.
- The effectiveness of your risk management process is reviewed periodically, and improvements made as required.
- You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.
- A2.b Assurance
- You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
- IGPs
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
- You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.
- Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.
- Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.
- The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.
- Principle: A3 Asset Management
- Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
- A3.a Asset Management
- IGPs
- All assets relevant to the secure operation of essential functions are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.
- Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.
- You have prioritised your assets according to their importance to the operation of the essential function.
- You have assigned responsibility for managing physical assets.
- Assets relevant to essential functions are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.
- Principle: A4 Supply Chain
- The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
- A4.a Supply Chain
- IGPs
- You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.
- Your approach to supply chain risk management considers the risks to your essential functions arising from supply chain subversion by capable and well-resourced attackers.
- You have confidence that information shared with suppliers that is essential to the operation of your function is appropriately protected from sophisticated attacks.
- You can clearly express the security needs you place on suppliers in ways that are mutually understood and are laid in contracts. There is a clear and documented shared-responsibility model.
- All network connections and data sharing with third parties is managed effectively and proportionately.
- When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.
- CAF Objective B - Protecting against cyber-attack
- Proportionate security measures are in place to protect the networks and information systems supporting essential functions from cyber attack.
- Principle: B1 Service Protection Policies and Processes
- The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support operation of essential functions.
- B1.a Policy and Process Development
- You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.
- IGPs
- You fully document your overarching security governance and risk management approach, technical security practice and specific regulatory compliance. Cyber security is integrated and embedded throughout these policies and processes and key performance indicators are reported to your executive management.
- Your organisation’s policies and processes are developed to be practical, usable and appropriate for your essential function and your technologies.
- Policies and processes that rely on user behaviour are practical, appropriate and achievable.
- You review and update policies and processes at suitably regular intervals to ensure they remain relevant. This is in addition to reviews following a major cyber security incident.
- Any changes to the essential function or the threat it faces triggers a review of policies and processes.
- Your systems are designed so that they remain secure even when user security policies and processes are not always followed.
- B1.b Policy and Process Implementation
- You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.
- IGPs
- All your policies and processes are followed, their correct application and security effectiveness is evaluated.
- Your policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals' trustworthiness.
- Your policies and processes are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.
- Appropriate action is taken to address all breaches of policies and processes with potential to adversely impact the essential function including aggregated breaches.
- Principle: B2 Identity and Access Control
- The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised.
- B2.a Identity Verification, Authentication and Authorisation
- You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.
- IGPs
- Only authorised and individually authenticated users can physically access and logically connect to your networks or information systems on which your essential function depends.
- User access to all your networks and information systems supporting the essential function is limited to the minimum necessary.
- You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for privileged access to all systems that operate or support your essential function.
- You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, when you individually authenticate and authorise all remote user access to all your networks and information systems that support your essential function.
- The list of users with access to networks and systems supporting and delivering the essential function is reviewed on a regular basis, at least every six months.
- B2.b Device Management
- You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.
- IGPs
- Dedicated devices are used for privileged actions (such as administration or accessing the essential function's network and information systems). These devices are not used for directly browsing the web or accessing email.
- You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your systems, or you only allow third-party devices or networks dedicated to supporting your systems to connect.
- You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function.
- You perform regular scans to detect unknown devices and investigate any findings.
- B2.c Privileged User Management
- B2.c Privileged User Management
- IGPs
- Privileged user access to your essential function systems is carried out from dedicated separate accounts that are closely monitored and managed.
- The issuing of temporary, time-bound rights for privileged user access and external third-party support access is either in place or you are migrating to an access control solution that supports this functionality.
- Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.
- All privileged user access to your networks and information systems requires strong authentication, such as two-factor, hardware authentication, or additional real-time security monitoring.
- All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.
- B2.d Identity and Access Management (IdAM)
- You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential function.
- IGPs
- Your procedure to verify each user and issue the minimum required access rights is robust and regularly audited.
- User permissions are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually.
- All user access is logged and monitored.
- You regularly review access logs and correlate this data with other access records and expected activity.
- Attempts by unauthorised users to connect to your systems are alerted, promptly assessed and investigated.
- Principle: B3 Data Security
- Principle: B4 System Security
- Principle: B5 Resilient Networks and Systems
- Principle: B6 Staff Awareness and Training
- CAF Objective C - Detecting cyber security events
- CAF Objective D - Minimising the impact of cyber security incidents