diff --git a/config/caf_text.yml b/config/caf_text.yml index 59f0122..6d87dc0 100644 --- a/config/caf_text.yml +++ b/config/caf_text.yml @@ -360,10 +360,286 @@ objectives: - All user, device and systems access to the systems supporting the essential function(s) is logged and monitored. - You regularly review access logs and correlate this data with other access records and expected activity. - Attempts by unauthorised users, devices or systems to connect to the systems supporting the essential function(s) are alerted, promptly assessed and investigated. - - - - + - principle: + name: Principle B3 Data Security + description: Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of network and information systems. + sub-principles: + - sub-principle: + name: B3.a Understanding Data + description: You have a good understanding of data important to the operation of your essential function(s), where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function(s). This also applies to third parties storing or accessing data important to the operation of your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You have incomplete knowledge of what data is used by and produced in the operation of the essential function(s). + - You have not identified the important data on which your essential function(s) relies. + - You have not identified who has access to data important to the operation of the essential function(s). + - You have not clearly articulated the impact of data compromise or lack of availability. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You have identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker. + - You have identified and catalogued who has access to the data important to the operation of the essential function(s). + - You regularly review location, transmission, quantity and quality of data important to the operation of the essential function(s). + - You have identified all mobile devices and media that hold data important to the operation of the essential function(s). + - You understand and document the impact on your essential function(s) of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data. + - You occasionally validate these documented impact statements. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You have identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker. + - You have identified and catalogued who has access to the data important to the operation of the essential function(s). + - You maintain a current understanding of the location, quantity and quality of data important to the operation of the essential function(s). + - You take steps to remove or minimise unnecessary copies or unneeded historic data. + - You have identified all mobile devices and media that may hold data important to the operation of the essential function(s). + - You maintain a current understanding of the data links used to transmit data that is important to your essential function(s). + - You understand the context, limitations and dependencies of your important data. + - You understand and document the impact on your essential function(s) of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data. + - You validate these documented impact statements regularly, at least annually. + - sub-principle: + name: B3.b Data in Transit + description: You have protected the transit of data important to the operation of your essential function(s). This includes the transfer of data to third parties. + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You do not know what all your data links are, or which carry data important to the operation of the essential function(s). + - Data important to the operation of the essential function(s) travels without technical protection over non-trusted or openly accessible carriers. + - Critical data paths that could fail, be jammed, be overloaded, etc. have no alternative path. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s). + - You apply appropriate technical means (e.g. cryptography) to protect data that travels over non-trusted or openly accessible carriers, but you have limited or no confidence in the robustness of the protection applied. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s). + - You apply appropriate physical and / or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied. + - Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function(s) due to resource limitation (e.g. transmission equipment or function failure, or important data being blocked or jammed). + - sub-principle: + name: B3.c Stored Data + description: You have protected stored soft and hard copy data important to the operation of your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You have no, or limited, knowledge of where data important to the operation of the essential function(s) is stored. + - You have not protected vulnerable stored data important to the operation of the essential function(s) in a suitable way. + - Backups are incomplete, untested, not adequately secured or could be inaccessible in a disaster recovery or business continuity situation. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. + - You have applied suitable physical and / or technical means to protect this important stored data from unauthorised access, modification or deletion. + - If cryptographic protections are used, you apply suitable technical and procedural means, but you have limited or no confidence in the robustness of the protection applied. + - You have suitable, secured backups of data to allow the operation of the essential function(s) to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. + - You have applied suitable physical and / or technical means to protect this important stored data from unauthorised access, modification or deletion. + - If cryptographic protections are used you apply suitable technical and procedural means, and you have justified confidence in the robustness of the protection applied. + - You have suitable, secured backups of data to allow the operation of the essential function(s) to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies. + - Necessary historic or archive data is suitably secured in storage. + - sub-principle: + name: B3.d Mobile Data + description: You have protected data important to the operation of your essential function(s) on mobile devices. + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You don’t know which mobile devices may hold data important to the operation of the essential function(s). + - You allow data important to the operation of the essential function(s) to be stored on devices not managed by your organisation, or to at least equivalent standard. + - Data on mobile devices is not technically secured, or only some is secured. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You know which mobile devices hold data important to the operation of the essential function(s). + - Data important to the operation of the essential function(s) is stored on mobile devices only when they have at least the security standard aligned to your overarching security policies. + - Data on mobile devices is technically secured. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - Mobile devices that hold data that is important to the operation of the essential function(s) are catalogued, are under your organisation's control and configured according to best practice for the platform, with appropriate technical and procedural policies in place. + - Your organisation can remotely wipe all mobile devices holding data important to the operation of the essential function(s). + - You have minimised this data on these mobile devices. Some data may be automatically deleted off mobile devices after a certain period. + - sub-principle: + name: B3.e Media / Equipment Sanitisation + description: Before reuse and / or disposal you appropriately sanitise devices, equipment and removable media holding data important to the operation of your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Some or all devices, equipment or removable media that hold data important to the operation of the essential function(s) are reused or disposed of without sanitisation of that data. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - Data important to the operations of the essential function(s) is removed from all devices, equipment and removable media before reuse and / or disposal. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You catalogue and track all devices that contain data important to the operation of the essential function(s) (whether a specific storage device or one with integral storage). + - Data important to the operation of the essential function(s) is removed from all devices, equipment and removable media before reuse and / or disposal using an assured product or service. + - principle: + name: Principle B4 System Security + description: Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems. + sub-principles: + - sub-principle: + name: B4.a Secure by Design + description: You design security into the network and information systems that support the operation of your essential function(s). You minimise their attack surface and ensure that the operation of your essential function(s) should not be impacted by the exploitation of any single vulnerability. + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Systems essential to the operation of the essential function(s) are not appropriately segregated from other systems. + - Internet access is available from network and information systems supporting your essential function(s). + - Data flows between network and information systems supporting your essential function(s) and other systems are complex, making it hard to discriminate between legitimate and illegitimate / malicious traffic. + - Remote or third-party accesses circumvent some network controls to gain more direct access to network and information systems supporting the essential function(s). + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You employ appropriate expertise to design network and information systems. + - You design strong boundary defences where your network and information systems interface with other organisations or the world at large. + - You design simple data flows between your network and information systems and any external interface to enable effective monitoring. + - You design to make network and information system recovery simple. + - All inputs to network and information systems supporting your essential function(s) are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You employ appropriate expertise to design network and information systems. + - Your network and information systems are segregated into appropriate security zones (e.g. systems supporting the essential function(s) are segregated in a highly trusted, more secure zone). + - The network and information systems supporting your essential function(s) are designed to have simple data flows between components to support effective security monitoring. + - The network and information systems supporting your essential function(s) are designed to be easy to recover. Content-based attacks are mitigated for all inputs to network and information systems that affect the essential function(s) (e.g. via transformation and inspection). + - sub-principle: + name: B4.b Secure Configuration + description: You securely configure the network and information systems that support the operation of your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You haven't identified the assets that need to be carefully configured to maintain the security of the essential function(s). + - Policies relating to the security of operating system builds or configuration are not applied consistently across your network and information systems relating to your essential function(s). + - Configuration details are not recorded or lack enough information to be able to rebuild the system or device. + - The recording of security changes or adjustments that affect your essential function(s) is lacking or inconsistent. + - Generic, shared, default name and built-in accounts have not been removed or disabled. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You have identified and documented the assets that need to be carefully configured to maintain the security of the essential function(s). + - Secure platform and device builds are used across the estate. + - Consistent, secure and minimal system and device configurations are applied across the same types of environment. + - Changes and adjustments to security configuration at security boundaries with the network and information systems supporting your essential function(s) are approved and documented. + - You verify software before installation is permitted. + - Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You have identified, documented and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function(s). + - All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment. + - You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented. + - You regularly review and validate that your network and information systems have the expected, secure settings and configuration. + - Only permitted software can be installed. + - Standard users are not able to change settings that would impact security or the business operation. + - If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated. + - Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed. + - sub-principle: + name: B4.c Secure Management + description: You manage your organisation's network and information systems that support the operation of your essential function(s) to enable and maintain security. + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - Your systems and devices supporting the operation of the essential function(s) are administered or maintained from devices that are not corporately owned and managed. + - You do not have good or current technical documentation of your network and information systems. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from devices sufficiently separated, using a risk-based approach, from the activities of standard users. + - Technical knowledge about network and information systems, such as documentation and network diagrams, is regularly reviewed and updated. + - You prevent, detect and remove malware, and unauthorised software. You use technical, procedural and physical measures as necessary. + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations. + - You regularly review and update technical knowledge about network and information systems, such as documentation and network diagrams, and ensure they are securely stored. + - You prevent, detect and remove malware, and unauthorised software. + - You use technical, procedural and physical measures as necessary. + - sub-principle: + name: B4.d. Vulnerability Management + description: You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s). + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: At least one + subprincipleitem: + - You do not understand the exposure of your essential function(s) to publicly-known vulnerabilities. + - You do not mitigate externally exposed vulnerabilities promptly. + - You have not recently tested to verify your understanding of the vulnerabilities of the network and information systems that support your essential function(s). + - You have not suitably mitigated systems or software that is no longer supported. + - You are not pursuing replacement for unsupported systems or software. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities. + - Announced vulnerabilities for all software packages, network and information systems used to support your essential function(s) are tracked, prioritised and externally exposed vulnerabilities are mitigated (e.g. by patching) promptly. + - Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period. + - You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology. + - You regularly test to fully understand the vulnerabilities of the network and information systems that support the operation of your essential function(s). + - subprincipleitemgroup: + kind: Achieved + condition: All + subprincipleitem: + - You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities. + - Announced vulnerabilities for all software packages, network and information systems used to support your essential function(s) are tracked, prioritised and mitigated (e.g. by patching) promptly. + - You regularly test to fully understand the vulnerabilities of the network and information systems that support the operation of your essential function(s) and verify this understanding with third-party testing. + - You maximise the use of supported software, firmware and hardware in your network and information systems supporting your essential function(s). + - principle: + name: Principle B5 Resilient Networks and Systems + description: The organisation builds resilience against cyber attack and system failure into the design, implementation, operation and management of systems that support the operation of essential functions. + sub-principles: + - sub-principle: + name: B5.a Resilience Preparation + description: You are prepared to restore the operation of your essential function(s) following adverse impact. + subprincipleitemgroups: + - subprincipleitemgroup: + kind: Not + condition: Any + subprincipleitem: + - You have limited understanding of all the elements that are required to restore operation of the essential function(s). + - You have not completed business continuity and disaster recovery plans for network and information systems, including their dependencies, supporting the operation of the essential function(s). + - You have not fully assessed the practical implementation of your business continuity and disaster recovery plans. + - subprincipleitemgroup: + kind: Partially + condition: All + subprincipleitem: + - You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods (e.g. manual fail-over, table-top exercises, or red-teaming). + - You use your security awareness and threat intelligence sources to identify new or heightened levels of risk, which result in immediate and potentially temporary security measures to enhance the security of your network and information systems (e.g. in response to a widespread outbreak of very damaging malware). # # - objective: # name: Objective C - Detecting cyber security events