jezcaudle/rails-caf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rails-caf/config/caf_text.yml

1077 lines
113 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

objectives:
- objective:
name: Objective A - Managing security risk
description: Appropriate organisational structures, policies, and processes in place to understand, access and systematically manage security risks to the network and information systems supporting essential functions.
principles:
- principle:
name: A1 Governance
description: The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.
sub-principles:
- sub-principle:
name: A1.a Board Direction
description: You have effective organisational security management led at board level and articulated clearly in corresponding policies.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- The security of network and information systems related to the operation of essential functions is not discussed or reported on regularly at board-level.
- Board-level discussions on the security of networks and information systems are based on partial or out-of-date information, without the benefit of expert guidance.
- The security of networks and information systems supporting your essential functions are not driven effectively by the direction set at board level.
- Senior management or other pockets of the organisation consider themselves exempt from some policies or expect special accommodations to be made.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your organisation's approach and policy relating to the security of networks and information systems supporting the operation of essential functions are owned and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.
- Regular board discussions on the security of network and information systems supporting the operation of your essential function take place, based on timely and accurate information and informed by expert guidance.
- There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.
- Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential function.
- sub-principle:
name: A1.b Roles and Responsibilities
description: Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.
- Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.
- Staff are unsure what their responsibilities are for the security of the essential function.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Key roles and responsibilities for the security of network and information systems supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose.
- Appropriately capable and knowledgeable staff fill those roles and are given the time, authority, and resources to carry out their duties.
- There is clarity on who in your organisation has overall accountability for the security of the network and information systems supporting your essential function(s).
- sub-principle:
name: A1.c Decision-making
description: You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks tonetwork and information systems related to the operation of essential functions areconsidered in the context of other organisational risks.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.
- Risks are resolved informally (or ignored) at a local level when the use of a more formal risk reporting mechanism would be more appropriate.
- Decision-makers are unsure of what senior management's risk appetite is, or only understand it in vague terms such as "averse" or "cautious".
- Organisational structure causes risk decisions to be made in isolation. (e.g. engineering and IT don't talk to each other about risk).
- Risk priorities are too vague to make meaningful distinctions between them. (e.g. almost all risks are rated 'medium' or 'amber').
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Senior management have visibility of key risk decisions made throughout the organisation.
- Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function(s), as set by senior management.
- Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.
- Risk management decisions are periodically reviewed to ensure their continued relevance and validity.
- principle:
name: A2 Risk Management
description: The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.
sub-principles:
- sub-principle:
name: A2.a Risk Management Process
description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Risk assessments are not based on a clearly defined set of threat assumptions.
- Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers and are not effectively communicated in a clear and timely manner.
- Risk assessments for critical systems are a "one-off" activity (or not done at all).
- The security elements of projects or programmes are solely dependent on the completion of a risk management assessment without any regard to the outcomes.
- There is no systematic process in place to ensure that identified security risks are managed effectively.
- Systems are assessed in isolation, without consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments).
- Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
- Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
- Your risk assessments are informed by an understanding of the vulnerabilities in the network and information systems supporting your essential function(s).
- The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
- Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
- You conduct risk assessments when significant events potentially affect the essential function(s), such as replacing a system or a change in the cyber security threat.
- You perform threat analysis and understand how generic threats apply to your organisation.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your organisational process ensures that security risks to networks and information systems relevant to essential functions are identified, analysed, prioritised, and managed.
- Your approach to risk is focused on the possibility of adverse impact to your essential function, leading to a detailed understanding of how such impact might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.
- Your risk assessments are based on a clearly understood set of threat assumptions, informed by an up-to-date understanding of security threats to your essential function and your sector.
- Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential function.
- The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security.
- Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.
- Your risk assessments are dynamic and updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.
- The effectiveness of your risk management process is reviewed periodically, and improvements made as required.
- You perform detailed threat analysis and understand how this applies to your organisation in the context of the threat to your sector and the wider CNI.
- sub-principle:
name: A2.b Assurance
description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
- Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
- Assurance is assumed because there have been no known problems to date.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You validate that the security measures in place to protect the networks and information systems are effective and remain effective for the lifetime over which they are needed.
- You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential functions.
- Your confidence in the security as it relates to your technology, people, and processes can be justified to, and verified by, a third party.
- Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.
- The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.
- principle:
name: Principle A3 Asset Management
description: Everything required to deliver, maintain or support network and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
sub-principles:
- sub-principle:
name: A3.a Asset Management
description: None
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Inventories of assets relevant to the essential function(s) are incomplete, non-existent, or inadequately detailed.
- Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and OT).
- Information assets, which could include personally identifiable information and / or important / critical data, are stored for long periods of time with no clear business need or retention policy.
- Knowledge critical to the management, operation, or recovery of the essential function(s) is held by one or two key individuals with no succession plan.
- Asset inventories are neglected and out of date.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.
- Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised and recorded.
- You have prioritised your assets according to their importance to the operation of the essential function(s).
- You have assigned responsibility for managing all assets, including physical assets, relevant to the operation of the essential function(s).
- Assets relevant to the essential function(s) are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.
- principle:
name: Principle A4 Supply Chain
description: The organisation understands and manages security risks to network and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
sub-principles:
- sub-principle:
name: A4.a Supply Chain
description: None
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You do not know what data belonging to you is held by suppliers, or how it is managed.
- Elements of the supply chain for essential function(s) are subcontracted and you have little or no visibility of the sub-contractors.
- You have no understanding of which contracts are relevant and / or relevant contracts do not specify appropriate security obligations.
- Suppliers have access to systems that provide your essential function(s) that is unrestricted, not monitored or bypasses your own security controls.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You understand the general risks suppliers may pose to your essential function(s).
- You know the extent of your supply chain that supports your essential function(s), including sub-contractors.
- You understand which contracts are relevant and you include appropriate security obligations in relevant contracts.
- You are aware of all third-party connections and have assurance that they meet your organisations security requirements.
- Your approach to security incident management considers incidents that might arise in your supply chain.
- You have confidence that information shared with suppliers that is necessary for the operation of your essential function(s) is appropriately protected from well-known attacks and known vulnerabilities.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have a deep understanding of your supply chain, including sub-contractors and the wider risks it faces. You consider factors such as suppliers partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.
- Your approach to supply chain risk management considers the risks to your essential function(s) arising from supply chain subversion by capable and well-resourced attackers.
- You have confidence that information shared with suppliers that is essential to the operation of your function(s) is appropriately protected from sophisticated attacks.
- You understand which contracts are relevant and you include appropriate security obligations in relevant contracts. You have a proactive approach to contract management which may include a contract management plan for relevant contracts.
- Customer / supplier ownership of responsibilities is laid out in contracts.
- All network connections and data sharing with third parties are managed effectively and proportionately.
- When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.
- objective:
name: Objective B - Protecting against cyber attack
description: Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack.
principles:
- principle:
name: B1 Service Protection Policies, Processes and Procedures
description: The organisation defines, implements, communicates and enforces appropriate policies, processes and procedures that direct its overall approach to securing systems and data that support operation of essential functions.
sub-principles:
- sub-principle:
name: B1.a Policy, Process and Procedure Development
description: You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Your policies, processes and procedures are absent or incomplete.
- Policies, processes and procedures are not applied universally or consistently.
- People often or routinely circumvent policies, processes and procedures to achieve business objectives.
- Your organisations security governance and risk management approach has no bearing on your policies, processes and procedures.
- System security is totally reliant on users' careful and consistent application of manual security processes.
- Policies, processes and procedures have not been reviewed in response to major changes (e.g. technology or regulatory framework), or within a suitable period.
- Policies, processes and procedures are not readily available to staff, too detailed to remember, or too hard to understand.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Most of your policies, processes and procedures are followed and their application is monitored.
- Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness.
- All staff are aware of their responsibilities under your policies, processes and procedures. All breaches of policies, processes and procedures with the potential to adversely impact the essential function(s) are fully investigated. Other breaches are tracked, assessed for trends and action is taken to understand and address.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- All your policies, processes and procedures are followed, their correct application and security effectiveness is evaluated.
- Your policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals' trustworthiness.
- Your policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.
- Appropriate action is taken to address all breaches of policies, processes and procedures with potential to adversely impact the essential function(s) including aggregated breaches.
- principle:
name: Principle B2 Identity and Access Control
description: The organisation understands, documents and manages access to network and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised.
sub-principles:
- sub-principle:
name: B2.a Identity Verification, Authentication and Authorisation
description: You robustly verify, authenticate and authorise access to the network and information systems supporting your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Initial identity verification is not robust enough to provide an acceptable level of confidence of a users identity profile.
- Authorised users and systems with access to networks or information systems on which your essential function(s) depends cannot be individually identified.
- Unauthorised individuals or devices can access your network or information systems on which your essential function(s) depends.
- The number of authorised users and systems that have access to your network and information systems are not limited to the minimum necessary.
- Your approach to authenticating users, devices and systems does not follow up to date best practice.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your process of initial identity verification is robust enough to provide a reasonable level of confidence of a users identity profile before allowing an authorised user access to network and information systems that support your essential function(s).
- All authorised users and systems with access to network or information systems on which your essential function(s) depends are individually identified and authenticated.
- The number of authorised users and systems that have access to essential function(s) network and information systems is limited to the minimum necessary.
- You use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all network and information systems that operate or support your essential function(s).
- You individually authenticate and authorise all remote access to all your network and information systems that support your essential function(s).
- The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least annually.
- Your approach to authenticating users, devices and systems follows up to date best practice.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your process of initial identity verification is robust enough to provide a high level of confidence of a users identity profile before allowing an authorised user access to network and information systems that support your essential function(s).
- Only authorised and individually authenticated users can physically access and logically connect to your network or information systems on which your essential function(s) depends.
- The number of authorised users and systems that have access to all your network and information systems supporting the essential function(s) is limited to the minimum necessary.
- You use additional authentication mechanisms, such as multi-factor (MFA), for all user access, including remote access, to all network and information systems that operate or support your essential function(s).
- The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least every six months.
- Your approach to authenticating users, devices and systems follows up to date best practice.
- sub-principle:
name: B2.b Device Management
description: You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Users can connect to your network and information systems supporting your essential function(s) using devices that are not corporately owned and managed.
- Privileged users can perform privileged operations from devices that are not corporately owned and managed.
- You have not gained assurance in the security of any third-party devices or networks connected to your systems.
- Physically connecting a device to your network and information systems gives that device access without device or user authentication.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Only corporately owned and managed devices can access your essential function(s) network and information systems.
- All privileged operations are performed from corporately owned and managed devices.
- These devices provide sufficient separation, using a risk-based approach, from the activities of standard users.
- You have sought to understand the security properties of third-party devices and networks before they can be connected to your systems.
- You have taken appropriate steps to mitigate any risks identified.
- The act of connecting to a network port or cable does not grant access to any systems.
- You are able to detect unknown devices being connected to your network and information systems and investigate such incidents.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- All privileged operations performed on your network and information systems supporting your essential function(s) are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.
- You either obtain independent and professional assurance of the security of third-party devices or networks before they connect to your network and information systems, or you only allow third-party devices or networks that are dedicated to supporting your network and information systems to connect.
- You perform certificate-based device identity management and only allow known devices to access systems necessary for the operation of your essential function(s).
- You perform regular scans to detect unknown devices and investigate any findings.
- sub-principle:
name: B2.c Privileged User Management
description: You closely manage privileged user access to network and information systems supporting your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are not known or not managed.
- Privileged user access to network and information systems supporting your essential function(s) is via weak authentication mechanisms (e.g. only simple passwords).
- The list of privileged users has not been reviewed recently (e.g. within the last 12 months).
- Privileged user access is granted on a system-wide basis rather than by role or function(s).
- Privileged user access to your essential function(s) is via generic, shared or default name accounts.
- Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted.
- There is no logical separation between roles that an individual may have and hence the actions they perform (e.g. access to corporate email and privilege user actions).
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- All privileged user access to network and information systems supporting your essential function(s) requires strong authentication, such as multi-factor (MFA).
- The identities of the individuals with privileged access to network and information systems (infrastructure, platforms, software, configuration etc) supporting your essential function(s) are known and managed. This includes third parties.
- Activity by privileged users is routinely reviewed and validated (e.g. at least annually).
- Privileged users are only granted specific privileged user access rights which are essential to their business role or function.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Privileged user access to network and information systems supporting your essential function(s) is carried out from dedicated separate accounts that are closely monitored and managed.
- The issuing of temporary, time-bound rights for privileged user access and / or external third-party support access is in place.
- Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.
- All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.
- sub-principle:
name: B2.d Identity and Access Management (IdAM)
description: You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Greater access rights are granted than necessary.
- Identity validation and requirement for access of a user, device or systems is not carried out.
- User access rights are not reviewed when users change roles.
- User access rights remain active when users leave your organisation.
- Access rights granted to devices or systems to access other devices and systems are not reviewed on a regular basis (at least annually).
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You follow a robust procedure to verify each user and issue the minimum required access rights.
- You regularly review access rights and those no longer needed are revoked.
- User access rights are reviewed when users change roles via your joiners, leavers and movers process.
- All user, device and system access to the systems supporting the essential function(s) is logged and monitored, but it is not compared to other log data or access records.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You follow a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited.
- User access rights are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals - at least annually.
- All user, device and systems access to the systems supporting the essential function(s) is logged and monitored.
- You regularly review access logs and correlate this data with other access records and expected activity.
- Attempts by unauthorised users, devices or systems to connect to the systems supporting the essential function(s) are alerted, promptly assessed and investigated.
- principle:
name: Principle B3 Data Security
description: Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of network and information systems.
sub-principles:
- sub-principle:
name: B3.a Understanding Data
description: You have a good understanding of data important to the operation of your essential function(s), where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function(s). This also applies to third parties storing or accessing data important to the operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You have incomplete knowledge of what data is used by and produced in the operation of the essential function(s).
- You have not identified the important data on which your essential function(s) relies.
- You have not identified who has access to data important to the operation of the essential function(s).
- You have not clearly articulated the impact of data compromise or lack of availability.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker.
- You have identified and catalogued who has access to the data important to the operation of the essential function(s).
- You regularly review location, transmission, quantity and quality of data important to the operation of the essential function(s).
- You have identified all mobile devices and media that hold data important to the operation of the essential function(s).
- You understand and document the impact on your essential function(s) of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.
- You occasionally validate these documented impact statements.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker.
- You have identified and catalogued who has access to the data important to the operation of the essential function(s).
- You maintain a current understanding of the location, quantity and quality of data important to the operation of the essential function(s).
- You take steps to remove or minimise unnecessary copies or unneeded historic data.
- You have identified all mobile devices and media that may hold data important to the operation of the essential function(s).
- You maintain a current understanding of the data links used to transmit data that is important to your essential function(s).
- You understand the context, limitations and dependencies of your important data.
- You understand and document the impact on your essential function(s) of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.
- You validate these documented impact statements regularly, at least annually.
- sub-principle:
name: B3.b Data in Transit
description: You have protected the transit of data important to the operation of your essential function(s). This includes the transfer of data to third parties.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You do not know what all your data links are, or which carry data important to the operation of the essential function(s).
- Data important to the operation of the essential function(s) travels without technical protection over non-trusted or openly accessible carriers.
- Critical data paths that could fail, be jammed, be overloaded, etc. have no alternative path.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s).
- You apply appropriate technical means (e.g. cryptography) to protect data that travels over non-trusted or openly accessible carriers, but you have limited or no confidence in the robustness of the protection applied.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s).
- You apply appropriate physical and / or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied.
- Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function(s) due to resource limitation (e.g. transmission equipment or function failure, or important data being blocked or jammed).
- sub-principle:
name: B3.c Stored Data
description: You have protected stored soft and hard copy data important to the operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You have no, or limited, knowledge of where data important to the operation of the essential function(s) is stored.
- You have not protected vulnerable stored data important to the operation of the essential function(s) in a suitable way.
- Backups are incomplete, untested, not adequately secured or could be inaccessible in a disaster recovery or business continuity situation.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy.
- You have applied suitable physical and / or technical means to protect this important stored data from unauthorised access, modification or deletion.
- If cryptographic protections are used, you apply suitable technical and procedural means, but you have limited or no confidence in the robustness of the protection applied.
- You have suitable, secured backups of data to allow the operation of the essential function(s) to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy.
- You have applied suitable physical and / or technical means to protect this important stored data from unauthorised access, modification or deletion.
- If cryptographic protections are used you apply suitable technical and procedural means, and you have justified confidence in the robustness of the protection applied.
- You have suitable, secured backups of data to allow the operation of the essential function(s) to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.
- Necessary historic or archive data is suitably secured in storage.
- sub-principle:
name: B3.d Mobile Data
description: You have protected data important to the operation of your essential function(s) on mobile devices.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You dont know which mobile devices may hold data important to the operation of the essential function(s).
- You allow data important to the operation of the essential function(s) to be stored on devices not managed by your organisation, or to at least equivalent standard.
- Data on mobile devices is not technically secured, or only some is secured.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You know which mobile devices hold data important to the operation of the essential function(s).
- Data important to the operation of the essential function(s) is stored on mobile devices only when they have at least the security standard aligned to your overarching security policies.
- Data on mobile devices is technically secured.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Mobile devices that hold data that is important to the operation of the essential function(s) are catalogued, are under your organisation's control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.
- Your organisation can remotely wipe all mobile devices holding data important to the operation of the essential function(s).
- You have minimised this data on these mobile devices. Some data may be automatically deleted off mobile devices after a certain period.
- sub-principle:
name: B3.e Media / Equipment Sanitisation
description: Before reuse and / or disposal you appropriately sanitise devices, equipment and removable media holding data important to the operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Some or all devices, equipment or removable media that hold data important to the operation of the essential function(s) are reused or disposed of without sanitisation of that data.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Data important to the operations of the essential function(s) is removed from all devices, equipment and removable media before reuse and / or disposal.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You catalogue and track all devices that contain data important to the operation of the essential function(s) (whether a specific storage device or one with integral storage).
- Data important to the operation of the essential function(s) is removed from all devices, equipment and removable media before reuse and / or disposal using an assured product or service.
- principle:
name: Principle B4 System Security
description: Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
sub-principles:
- sub-principle:
name: B4.a Secure by Design
description: You design security into the network and information systems that support the operation of your essential function(s). You minimise their attack surface and ensure that the operation of your essential function(s) should not be impacted by the exploitation of any single vulnerability.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Systems essential to the operation of the essential function(s) are not appropriately segregated from other systems.
- Internet access is available from network and information systems supporting your essential function(s).
- Data flows between network and information systems supporting your essential function(s) and other systems are complex, making it hard to discriminate between legitimate and illegitimate / malicious traffic.
- Remote or third-party accesses circumvent some network controls to gain more direct access to network and information systems supporting the essential function(s).
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You employ appropriate expertise to design network and information systems.
- You design strong boundary defences where your network and information systems interface with other organisations or the world at large.
- You design simple data flows between your network and information systems and any external interface to enable effective monitoring.
- You design to make network and information system recovery simple.
- All inputs to network and information systems supporting your essential function(s) are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You employ appropriate expertise to design network and information systems.
- Your network and information systems are segregated into appropriate security zones (e.g. systems supporting the essential function(s) are segregated in a highly trusted, more secure zone).
- The network and information systems supporting your essential function(s) are designed to have simple data flows between components to support effective security monitoring.
- The network and information systems supporting your essential function(s) are designed to be easy to recover. Content-based attacks are mitigated for all inputs to network and information systems that affect the essential function(s) (e.g. via transformation and inspection).
- sub-principle:
name: B4.b Secure Configuration
description: You securely configure the network and information systems that support the operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You haven't identified the assets that need to be carefully configured to maintain the security of the essential function(s).
- Policies relating to the security of operating system builds or configuration are not applied consistently across your network and information systems relating to your essential function(s).
- Configuration details are not recorded or lack enough information to be able to rebuild the system or device.
- The recording of security changes or adjustments that affect your essential function(s) is lacking or inconsistent.
- Generic, shared, default name and built-in accounts have not been removed or disabled.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have identified and documented the assets that need to be carefully configured to maintain the security of the essential function(s).
- Secure platform and device builds are used across the estate.
- Consistent, secure and minimal system and device configurations are applied across the same types of environment.
- Changes and adjustments to security configuration at security boundaries with the network and information systems supporting your essential function(s) are approved and documented.
- You verify software before installation is permitted.
- Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have identified, documented and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function(s).
- All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment.
- You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.
- You regularly review and validate that your network and information systems have the expected, secure settings and configuration.
- Only permitted software can be installed.
- Standard users are not able to change settings that would impact security or the business operation.
- If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.
- Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed.
- sub-principle:
name: B4.c Secure Management
description: You manage your organisation's network and information systems that support the operation of your essential function(s) to enable and maintain security.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Your systems and devices supporting the operation of the essential function(s) are administered or maintained from devices that are not corporately owned and managed.
- You do not have good or current technical documentation of your network and information systems.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from devices sufficiently separated, using a risk-based approach, from the activities of standard users.
- Technical knowledge about network and information systems, such as documentation and network diagrams, is regularly reviewed and updated.
- You prevent, detect and remove malware, and unauthorised software. You use technical, procedural and physical measures as necessary.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.
- You regularly review and update technical knowledge about network and information systems, such as documentation and network diagrams, and ensure they are securely stored.
- You prevent, detect and remove malware, and unauthorised software.
- You use technical, procedural and physical measures as necessary.
- sub-principle:
name: B4.d. Vulnerability Management
description: You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You do not understand the exposure of your essential function(s) to publicly-known vulnerabilities.
- You do not mitigate externally exposed vulnerabilities promptly.
- You have not recently tested to verify your understanding of the vulnerabilities of the network and information systems that support your essential function(s).
- You have not suitably mitigated systems or software that is no longer supported.
- You are not pursuing replacement for unsupported systems or software.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities.
- Announced vulnerabilities for all software packages, network and information systems used to support your essential function(s) are tracked, prioritised and externally exposed vulnerabilities are mitigated (e.g. by patching) promptly.
- Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.
- You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.
- You regularly test to fully understand the vulnerabilities of the network and information systems that support the operation of your essential function(s).
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities.
- Announced vulnerabilities for all software packages, network and information systems used to support your essential function(s) are tracked, prioritised and mitigated (e.g. by patching) promptly.
- You regularly test to fully understand the vulnerabilities of the network and information systems that support the operation of your essential function(s) and verify this understanding with third-party testing.
- You maximise the use of supported software, firmware and hardware in your network and information systems supporting your essential function(s).
- principle:
name: Principle B5 Resilient Networks and Systems
description: The organisation builds resilience against cyber attack and system failure into the design, implementation, operation and management of systems that support the operation of essential functions.
sub-principles:
- sub-principle:
name: B5.a Resilience Preparation
description: You are prepared to restore the operation of your essential function(s) following adverse impact.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: Any
subprincipleitem:
- You have limited understanding of all the elements that are required to restore operation of the essential function(s).
- You have not completed business continuity and disaster recovery plans for network and information systems, including their dependencies, supporting the operation of the essential function(s).
- You have not fully assessed the practical implementation of your business continuity and disaster recovery plans.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods (e.g. manual fail-over, table-top exercises, or red-teaming).
- You use your security awareness and threat intelligence sources to identify new or heightened levels of risk, which result in immediate and potentially temporary security measures to enhance the security of your network and information systems (e.g. in response to a widespread outbreak of very damaging malware).
- sub-principle:
name: B5.b Design for Resilience
description: You design the network and information systems supporting your essential function(s) to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Network and information systems supporting the operation of your essential function(s) are not appropriately segregated.
- Internet services, such as browsing and email, are accessible from network and information systems supporting the essential function(s).
- You do not understand or lack plans to mitigate all resource limitations that could adversely affect your essential function(s).
subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Network and information systems supporting the operation of your essential function(s) are logically separated from your business systems (e.g. they reside on the same network as the rest of the organisation but within a DMZ).
- Internet services are not accessible from network and information systems supporting the essential function(s).
- Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.
subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Network and information systems supporting the operation of your essential function(s) are segregated from other business and external systems by appropriate technical and physical means (e.g. separate network and system infrastructure with independent user administration). Internet services are not accessible from network and information systems supporting the essential function(s).
- You have identified and mitigated all resource limitations (e.g. bandwidth limitations and single network paths).
- You have identified and mitigated any geographical constraints or weaknesses. (e.g. systems that your essential function(s) depends upon are replicated in another location, important network connectivity has alternative physical paths and service providers).
- You review and update assessments of dependencies, resource and geographical limitations and mitigations when necessary.
- sub-principle:
name: B5.c Backups
description: You hold accessible and secured current backups of data and information needed to recover operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Backup coverage is incomplete and does not include all relevant data and information needed to restore the operation of your essential function(s).
- Backups are not frequent enough for the operation of your essential function(s) to be restored effectively.
- Your restoration process does not restore your essential function(s) in a suitable time frame.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have appropriately secured backups (including data, configuration information, software, equipment, processes and knowledge). These backups will be accessible to recover from an extreme event.
- You routinely test backups to ensure that the backup process function(s) correctly and the backups are usable.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.
- Backups of all important data and information needed to recover the essential function(s) are made, tested, documented and routinely reviewed.
- principle:
name: Principle B6 Staff Awareness and Training
description: Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
sub-principles:
- sub-principle:
name: B6.a Cyber Security Culture
description: You develop and maintain a positive cyber security culture.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- People in your organisation don't understand what they contribute to the cyber security of the essential function(s).
- People in your organisation don't know how to raise a concern about cyber security.
- People believe that reporting issues may get them into trouble.
- Your organisation's approach to cyber security is perceived by staff as hindering the business of the organisation.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your executive management understand and widely communicate the importance of a positive cyber security culture. Positive attitudes, behaviours and expectations are described for your organisation.
- All people in your organisation understand the contribution they make to the essential function(s) cyber security.
- All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your executive management clearly and effectively communicates the organisation's cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.
- People in your organisation raising potential cyber security incidents and issues are treated positively.
- Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.
- Your management is seen to be committed to and actively involved in cyber security.
- Your organisation communicates openly about cyber security, with any concern being taken seriously.
- People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.
- sub-principle:
name: B6.b Cyber Security Training
description: The people who support the operation of your essential function(s) are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- There are teams who operate and support your essential function(s) that lack any cyber security training.
- Cyber security training is restricted to specific roles in your organisation.
- Cyber security training records for your organisation are lacking or incomplete.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- You have defined appropriate cyber security training and awareness activities for all roles in your organisation, from executives to the most junior roles.
- You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.
- Cyber security information is easily available.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- All people in your organisation, from the most senior to the most junior, follow appropriate cyber security training paths.
- Each individuals cyber security training is tracked and refreshed at suitable intervals.
- You routinely evaluate your cyber security training and awareness activities to ensure they reach the widest audience and are effective.
- You make cyber security information and good practice guidance easily accessible, widely available and you know it is referenced and used within your organisation.
- objective:
name: Objective C - Detecting cyber security events
description: Capabilities exist to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential function(s).
principles:
- principle:
name: Principle C1 Security Monitoring
description: The organisation monitors the security status of the network and information systems supporting the operation of essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
sub-principles:
- sub-principle:
name: C1.a Monitoring Coverage
description: The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function(s).
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Data relating to the security and operation of your essential function(s) is not collected.
- You do not confidently detect the presence or absence of Indicators of Compromise (IoCs) on your essential function(s), such as known malicious command and control signatures (e.g. because applying the indicator is difficult or your log data is not sufficiently detailed).
- You are not able to audit the activities of users in relation to your essential function(s).
- You do not capture any traffic crossing your network boundary including as a minimum IP connections.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Data relating to the security and operation of some areas of your essential function(s) is collected but coverage is not comprehensive.
- You easily detect the presence or absence of IoCs on your essential function(s), such as known malicious command and control signatures.
- Some user monitoring is done, but not covering a fully agreed list of suspicious or undesirable behaviour.
- You monitor traffic crossing your network boundary (including IP address connections as a minimum).
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect the operation of your essential function(s) (e.g. presence of malware, malicious emails, user policy violations).
- Your monitoring data provides enough detail to reliably detect security incidents that could affect the operation of your essential function(s).
- You easily detect the presence or absence of IoCs on your essential function(s), such as known malicious command and control signatures.
- Extensive monitoring of user activity in relation to the operation of your essential function(s) enables you to detect policy violations and an agreed list of suspicious or undesirable behaviour.
- You have extensive monitoring coverage that includes host-based monitoring and network gateways.
- All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.
- sub-principle:
name: C1.b Securing Logs
description: You hold log data securely and grant appropriate access only to accounts with business a need. No system or user should ever need to modify or delete master copies of log data within an agreed retention period, after which it should be deleted.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- It is possible for log data to be easily edited or deleted by unauthorised users or malicious attackers.
- There is no controlled list of the users and systems that can view and query log data.
- There is no monitoring of the access to log data. There is no policy for accessing log data.
- Log data is not synchronised, using an accurate common time source.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Only authorised staff can view log data for investigations.
- Authorised users and systems can appropriately access log data.
- There is some monitoring of access to log data (e.g. copying, deleting, modifying or viewing).
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- The integrity of log data is protected, or any modification is detected and attributed. The logging architecture has mechanisms, policies, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the essential function(s) itself, and the data within it.
- Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.
- Log data is synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways.
- Access to log data is limited to those with business need and no others.
- All actions involving all log data (e.g. copying, deleting, modifying or viewing) can be traced back to a unique user.
- Legitimate reasons for accessing log data are given in use policies.
- sub-principle:
name: C1.c Generating Alerts
description: Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Alerts from third party security software are not investigated (e.g. Anti-Virus (AV) providers).
- Logs are distributed across devices with no easy way to access them other than manual login or physical action.
- The resolution of alerts to a network asset or system is not performed.
- Security alerts relating to essential function(s) are not prioritised.
- Logs are reviewed infrequently.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Alerts from third party security software are investigated, and action taken.
- Some, but not all, log data can be easily queried with search tools to aid investigations.
- The resolution of alerts to a network asset or system is performed regularly.
- Security alerts relating to some essential function(s) are prioritised.
- Logs are reviewed at regular intervals.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Log data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.
- A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts.
- Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time.
- Security alerts relating to all essential function(s) are prioritised and this information is used to support incident management.
- Logs are reviewed almost continuously, in real time.
- Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.
- sub-principle:
name: C1.d Identifying Security Incidents
description: You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Your organisation has no sources of threat intelligence.
- You do not apply updates in a timely way, after receiving them (e.g. AV signature updates, other threat signatures or Indicators of Compromise (IoCs)).
- You do not receive signature updates for all protective technologies such as AV and IDS or other software in use.
- You do not evaluate the usefulness of your threat intelligence or share feedback with providers or other users.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your organisation uses some threat intelligence services, but you don't necessarily choose sources or providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, anti-virus providers, specialist threat intel firms, special interest groups).
- You receive updates for all your signature based protective technologies (e.g. AV, IDS). You apply some updates, signatures and IoCs in a timely way.
- You know how effective your threat intelligence is (e.g. by tracking how threat intelligence helps you identify security problems).
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have selected threat intelligence sources or services using risk-based and threat- informed decisions based on your business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based infoshare, special interest groups).
- You apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.
- You receive signature updates for all your protective technologies (e.g. AV, IDS).
- You track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).
- sub-principle:
name: C1.e Monitoring Tools and Skills
description: Monitoring staff skills, tools and roles, including any that are outsourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential function(s) they need to protect.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- There are no staff who perform a monitoring function.
- Monitoring staff do not have the correct specialist skills.
- Monitoring staff are not capable of reporting against governance requirements.
- Monitoring staff lack the skills to successfully perform some significant parts of the defined workflow.
- Monitoring tools are only able to make use of a fraction of log data being collected.
- Monitoring tools cannot be configured to make use of new logging streams, as they come online.
- Monitoring staff have a lack of awareness of the essential function(s) the organisation provides, what assets relate to those functions and hence the importance of the log data and security events.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.
- Monitoring staff can report to other parts of the organisation (e.g. security directors, resilience managers).
- Monitoring staff are capable of following most of the required workflows.
- Your monitoring tools can make use of logging that would capture most unsophisticated and untargeted attack types.
- Your monitoring tools work with most log data, with some configuration.
- Monitoring staff are aware of some essential function(s) and can manage alerts relating to them.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance.
- Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process.
- Monitoring staff follow policies, processes and procedures that address all governance reporting requirements, internal and external.
- Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.
- Your monitoring tools make use of all log data collected to pinpoint activity within an incident.
- Monitoring staff and tools drive and shape new log data collection and can make wide use of it.
- Monitoring staff are aware of the operation of essential function(s) and related assets and can identify and prioritise alerts or investigations that relate to them.
- principle:
name: Principle C2 Proactive Security Event Discovery
description: The organisation detects, within network and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).
sub-principles:
- sub-principle:
name: C2.a System Abnormalities for Attack Detection
description: You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Normal system behaviour is insufficiently understood to be able to use system abnormalities to detect malicious activity.
- You have no established understanding of what abnormalities to look for that might signify malicious activities.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (e.g. You fully understand which systems should and should not communicate and when).
- System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.
- The system abnormalities you search for consider the nature of attacks likely to impact on the network and information systems supporting the operation of your essential function(s).
- The system abnormality descriptions you use are updated to reflect changes in your network and information systems and current threat intelligence.
- sub-principle:
name: C2.b Proactive Attack Discovery
description: You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You do not routinely search for system abnormalities indicative of malicious activity.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You routinely search for system abnormalities indicative of malicious activity on the network and information systems supporting the operation of your essential function(s), generating alerts based on the results of such searches.
- You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.
- objective:
name: Objective D - Minimising the impact of cyber security incidents
description: Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including the restoration of those function(s) where necessary.
principles:
- principle:
name: Principle D1 Response and Recovery Planning
description: There are well-defined and tested incident management processes in place, that aim to ensure continuity of essential function(s) in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place.
sub-principles:
- sub-principle:
name: D1.a Response Plan
description: You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function(s) and covers a range of incident scenarios.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Your incident response plan is not documented.
- Your incident response plan does not include your organisations identified essential function(s).
- Your incident response plan is not well understood by relevant staff.
- subprincipleitemgroup:
kind: Partially
condition: All
subprincipleitem:
- Your incident response plan covers your essential function(s).
- Your incident response plan comprehensively covers scenarios that are focused on likely impacts of known and well understood attacks only.
- Your incident response plan is understood by all staff who are involved with your organisation's response function.
- Your incident response plan is documented and shared with all relevant stakeholders.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Your incident response plan is based on a clear understanding of the security risks to the network and information systems supporting your essential function(s).
- Your incident response plan is comprehensive (i.e. covers the complete lifecycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen.
- Your incident response plan is documented and integrated with wider organisational business plans and supply chain response plans, as well as dependencies on supporting infrastructure (e.g. power, cooling etc).
- Your incident response plan is communicated and understood by the business areas involved with the operation of your essential function(s).
- sub-principle:
name: D1.b Response and Recovery Capability
description: You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function(s). During an incident, you have access to timely information on which to base your response decisions.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Inadequate arrangements have been made to make the right resources available to implement your response plan.
- Your response team members are not equipped to make good response decisions and put them into effect.
- Inadequate back-up mechanisms exist to allow the continued operation of your essential function(s) during an incident.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.
- You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.
- Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.
- Key roles are duplicated, and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential function(s).
- Back-up mechanisms are available that can be readily activated to allow continued operation of your essential function(s), although possibly at a reduced level, if primary network and information systems fail or are unavailable.
- Arrangements exist to augment your organisations incident response capabilities with external support if necessary (e.g. specialist cyber incident responders).
- sub-principle:
name: D1.c Testing and Exercising
description: Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Exercises test only a discrete part of the process (e.g. that backups are working), but do not consider all areas.
- Incident response exercises are not routinely carried out or are carried out in an ad-hoc way.
- Outputs from exercises are not fed into the organisation's lessons learned process.
- Exercises do not test all parts of the response cycle.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.
- Exercise scenarios are documented, regularly reviewed, and validated.
- Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.
- Exercises test all parts of your response cycle relating to your essential function(s) (e.g. restoration of normal function(s) levels).
- principle:
name: Principle D2 Lessons Learned
description: When an incident occurs, steps are taken to understand its root causes and to ensure appropriate remediating action is taken to protect against future incidents.
sub-principles:
- sub-principle:
name: D2.a Incident Root Cause Analysis
description: When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- You are not usually able to resolve incidents to a root cause.
- You do not have a formal process for investigating causes.
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.
- Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.
- All relevant incident data is made available to the analysis team to perform root cause analysis.
- sub-principle:
name: D2.b Using Incidents to Drive Improvements
description: Your organisation uses lessons learned from incidents to improve your security measures.
subprincipleitemgroups:
- subprincipleitemgroup:
kind: Not
condition: At least one
subprincipleitem:
- Following incidents, lessons learned are not captured or are limited in scope.
- Improvements arising from lessons learned following an incident are not implemented or not given sufficient organisational priority
- subprincipleitemgroup:
kind: Achieved
condition: All
subprincipleitem:
- You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.
- Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of network and information systems.
- You use lessons learned to improve security measures, including updating and retesting response plans when necessary.
- Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.
- Analysis is fed to senior management and incorporated into risk management and continuous improvement.
Reference in New Issue View Git Blame Copy Permalink