CAF Objective A - Managing security risk

Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.

Principle: A1 Governance

The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.

A1.a Board Direction

You have effective organisational security management led at board level and articulated clearly in corresponding policies.

• Your organisation’s approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
• Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance.
• There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.
• Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.

A1.b Roles and Responsibilities

Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

• Necessary roles and responsibilities for the security of networks and information systems supporting your essential function have been identified. These are reviewed periodically to ensure they remain fit for purpose.
• Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.
• There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential function.

A1.c Decision-making

You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.

• Senior management have visibility of key risk decisions made throughout the organisation.
• Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function, as set by senior management.