objectives: - objective: name: Objective A - Managing security risk description: Appropriate organisational structures, policies, and processes in place to understand, access and systematically manage security risks to the network and information systems supporting essential functions. principles: - principle: name: A1 Governance description: The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems. sub-principles: - sub-principle: name: A1.a Board Direction description: You have effective organisational security management led at board level and articulated clearly in corresponding policies. subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level. - Board-level discussions on the security of networks and information systems are based on partial or out-of-date information, without the benefit of expert guidance. - The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level. - Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation. - Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance. - There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level. - Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function. - sub-principle: name: A1.b Roles and Responsibilities description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks. subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis. - Staff are assigned security responsibilities but without adequate authority or resources to fulfil them. - Staff are unsure what their responsibilities are for the security of the essential function. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Key roles and responsibilities for the security of network and information systems supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose. - Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties. - There is clarity on who in your organisation has overall accountability for the security of the network and information systems supporting your essential function(s). - sub-principle: name: A1.c Decision-making description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks. subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - What should be relatively straightforward risk decisions are constantly referred up the chain, or not made. - Risks are resolved informally (or ignored) at a local level when the use of a more formal risk reporting mechanism would be more appropriate. - Decision-makers are unsure of what senior management's risk appetite is, or only understand it in vague terms such as "averse" or "cautious". - Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk). - Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber'). - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Senior management have visibility of key risk decisions made throughout the organisation. - Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function(s), as set by senior management. - Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need. - Risk management decisions are periodically reviewed to ensure their continued relevance and validity. - principle: name: A2 Risk Management description: The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management. sub-principles: - sub-principle: name: A2.a Risk Management Process description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities. subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Risk assessments are not based on a clearly defined set of threat assumptions. - Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers and are not effectively communicated in a clear and timely manner. - Risk assessments for critical systems are a "one-off" activity (or not done at all). - The security elements of projects or programmes are solely dependent on the completion of a risk management assessment without any regard to the outcomes. - There is no systematic process in place to ensure that identified security risks are managed effectively. - Systems are assessed in isolation, without consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments). - Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function. - Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve. - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed. - Your risk assessments are informed by an understanding of the vulnerabilities in the network and information systems supporting your essential function(s). - The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security. - Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals. - You conduct risk assessments when significant events potentially affect the essential function(s), such as replacing a system or a change in the cyber security threat. - You perform threat analysis and understand how generic threats apply to your organisation. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed. - Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems. - Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector. - Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function. - The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security. - Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals. - Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information. - The effectiveness of your risk management process is reviewed periodically, and improvements made as required. - You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI. - sub-principle: name: A2.b Assurance description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions. subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value. - Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments. - Assurance is assumed because there have been no known problems to date. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed. - You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions. - Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party. - Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way. - The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use. - principle: name: Principle A3 Asset Management description: Everything required to deliver, maintain or support network and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling). sub-principles: - sub-principle: name: A3.a Asset Management description: None subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Inventories of assets relevant to the essential function(s) are incomplete, non-existent, or inadequately detailed. - Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and OT). - Information assets, which could include personally identifiable information and / or important / critical data, are stored for long periods of time with no clear business need or retention policy. - Knowledge critical to the management, operation, or recovery of the essential function(s) is held by one or two key individuals with no succession plan. - Asset inventories are neglected and out of date. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date. - Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded. - You have prioritised your assets according to their importance to the operation of the essential function(s). - You have assigned responsibility for managing all assets, including physical assets, relevant to the operation of the essential function(s). - Assets relevant to the essential function(s) are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal. - principle: name: Principle A4 Supply Chain description: The organisation understands and manages security risks to network and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. sub-principles: - sub-principle: name: A4.a Supply Chain description: None subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - You do not know what data belonging to you is held by suppliers, or how it is managed. - Elements of the supply chain for essential function(s) are subcontracted and you have little or no visibility of the sub-contractors. - You have no understanding of which contracts are relevant and / or relevant contracts do not specify appropriate security obligations. - Suppliers have access to systems that provide your essential function(s) that is unrestricted, not monitored or bypasses your own security controls. - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - You understand the general risks suppliers may pose to your essential function(s). - You know the extent of your supply chain that supports your essential function(s), including sub-contractors. - You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. - You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements. - Your approach to security incident management considers incidents that might arise in your supply chain. - You have confidence that information shared with suppliers that is necessary for the operation of your essential function(s) is appropriately protected from well-known attacks and known vulnerabilities. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes. - Your approach to supply chain risk management considers the risks to your essential function(s) arising from supply chain subversion by capable and well-resourced attackers. - You have confidence that information shared with suppliers that is essential to the operation of your function(s) is appropriately protected from sophisticated attacks. - You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. You have a proactive approach to contract management which may include a contract management plan for relevant contracts. - Customer / supplier ownership of responsibilities is laid out in contracts. - All network connections and data sharing with third parties are managed effectively and proportionately. - When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents. - objective: name: Objective B - Protecting against cyber attack description: Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack. principles: - principle: name: B1 Service Protection Policies, Processes and Procedures description: The organisation defines, implements, communicates and enforces appropriate policies, processes and procedures that direct its overall approach to securing systems and data that support operation of essential functions. sub-principles: - sub-principle: name: B1.a Policy, Process and Procedure Development description: You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s). subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Your policies, processes and procedures are absent or incomplete. - Policies, processes and procedures are not applied universally or consistently. - People often or routinely circumvent policies, processes and procedures to achieve business objectives. - Your organisation’s security governance and risk management approach has no bearing on your policies, processes and procedures. - System security is totally reliant on users' careful and consistent application of manual security processes. - Policies, processes and procedures have not been reviewed in response to major changes (e.g. technology or regulatory framework), or within a suitable period. - Policies, processes and procedures are not readily available to staff, too detailed to remember, or too hard to understand. - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - Most of your policies, processes and procedures are followed and their application is monitored. - Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness. - All staff are aware of their responsibilities under your policies, processes and procedures. All breaches of policies, processes and procedures with the potential to adversely impact the essential function(s) are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - All your policies, processes and procedures are followed, their correct application and security effectiveness is evaluated. - Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness. - Your policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities. - Appropriate action is taken to address all breaches of policies, processes and procedures with potential to adversely impact the essential function(s) including aggregated breaches. - principle: name: Principle B2 Identity and Access Control description: The organisation understands, documents and manages access to network and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. sub-principles: - sub-principle: name: B2.a Identity Verification, Authentication and Authorisation description: You robustly verify, authenticate and authorise access to the network and information systems supporting your essential function(s). subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Initial identity verification is not robust enough to provide an acceptable level of confidence of a user’s identity profile. - Authorised users and systems with access to networks or information systems on which your essential function(s) depends cannot be individually identified. - Unauthorised individuals or devices can access your network or information systems on which your essential function(s) depends. - The number of authorised users and systems that have access to your network and information systems are not limited to the minimum necessary. - Your approach to authenticating users, devices and systems does not follow up to date best practice. - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - Your process of initial identity verification is robust enough to provide a reasonable level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential function(s). - All authorised users and systems with access to network or information systems on which your essential function(s) depends are individually identified and authenticated. - The number of authorised users and systems that have access to essential function(s) network and information systems is limited to the minimum necessary. - You use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all network and information systems that operate or support your essential function(s). - You individually authenticate and authorise all remote access to all your network and information systems that support your essential function(s). - The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least annually. - Your approach to authenticating users, devices and systems follows up to date best practice. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Your process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential function(s). - Only authorised and individually authenticated users can physically access and logically connect to your network or information systems on which your essential function(s) depends. - The number of authorised users and systems that have access to all your network and information systems supporting the essential function(s) is limited to the minimum necessary. - You use additional authentication mechanisms, such as multi-factor (MFA), for all user access, including remote access, to all network and information systems that operate or support your essential function(s). - The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least every six months. - Your approach to authenticating users, devices and systems follows up to date best practice. - sub-principle: name: B2.b Device Management description: You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function(s). subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Users can connect to your network and information systems supporting your essential function(s) using devices that are not corporately owned and managed. - Privileged users can perform privileged operations from devices that are not corporately owned and managed. - You have not gained assurance in the security of any third-party devices or networks connected to your systems. - Physically connecting a device to your network and information systems gives that device access without device or user authentication. - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - Only corporately owned and managed devices can access your essential function(s) network and information systems. - All privileged operations are performed from corporately owned and managed devices. - These devices provide sufficient separation, using a risk-based approach, from the activities of standard users. - You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems. - You have taken appropriate steps to mitigate any risks identified. - The act of connecting to a network port or cable does not grant access to any systems. - You are able to detect unknown devices being connected to your network and information systems and investigate such incidents. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - All privileged operations performed on your network and information systems supporting your essential function(s) are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations. - You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your network and information systems, or you only allow third-party devices or networks that are dedicated to supporting your network and information systems to connect. - You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function(s). - You perform regular scans to detect unknown devices and investigate any findings. - sub-principle: name: B2.c Privileged User Management description: You closely manage privileged user access to network and information systems supporting your essential function(s). subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are not known or not managed. - Privileged user access to network and information systems supporting your essential function(s) is via weak authentication mechanisms (e.g. only simple passwords). - The list of privileged users has not been reviewed recently (e.g. within the last 12 months). - Privileged user access is granted on a system-wide basis rather than by role or function(s). - Privileged user access to your essential function(s) is via generic, shared or default name accounts. - Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted. - There is no logical separation between roles that an individual may have and hence the actions they perform (e.g. access to corporate email and privilege user actions). - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - All privileged user access to network and information systems supporting your essential function(s) requires strong authentication, such as multi-factor (MFA). - The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are known and managed. This includes third parties. - Activity by privileged users is routinely reviewed and validated (e.g. at least annually). - Privileged users are only granted specific privileged user access rights which are essential to their business role or function. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - Privileged user access to network and information systems supporting your essential function(s) is carried out from dedicated separate accounts that are closely monitored and managed. - The issuing of temporary, time-bound rights for privileged user access and / or external third-party support access is in place. - Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process. - All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation. - sub-principle: name: B2.d Identity and Access Management (IdAM) description: You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s). subprincipleitemgroups: - subprincipleitemgroup: kind: Not condition: At least one subprincipleitem: - Greater access rights are granted than necessary. - Identity validation and requirement for access of a user, device or systems is not carried out. - User access rights are not reviewed when users change roles. - User access rights remain active when users leave your organisation. - Access rights granted to devices or systems to access other devices and systems are not reviewed on a regular basis (at least annually). - subprincipleitemgroup: kind: Partially condition: All subprincipleitem: - You follow a robust procedure to verify each user and issue the minimum required access rights. - You regularly review access rights and those no longer needed are revoked. - User access rights are reviewed when users change roles via your joiners, leavers and movers process. - All user, device and system access to the systems supporting the essential function(s) is logged and monitored, but it is not compared to other log data or access records. - subprincipleitemgroup: kind: Achieved condition: All subprincipleitem: - You follow a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited. - User access rights are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually. - All user, device and systems access to the systems supporting the essential function(s) is logged and monitored. - You regularly review access logs and correlate this data with other access records and expected activity. - Attempts by unauthorised users, devices or systems to connect to the systems supporting the essential function(s) are alerted, promptly assessed and investigated. # # - objective: # name: Objective C - Detecting cyber security events # # - objective: # name: Objective D - Minimising the impact of cyber security incidents