NCSC Cyber Assessment Framework Explained

Cyber Assessment Framework

The Cyber Assessment Framework (CAF) is a set of guidelines produced by the UK's National Cyber Security Centre (NCSC) to enhance the security of network and information systems, especially those supporting critical functions like electricity supply, healthcare, and transportation.

Aimed at addressing the increased threat of cyber incidents, the guidance is particularly relevant to organisations involved in Critical National Infrastructure (CNI), those subject to cyber regulations or Network and Information Systems (NIS) Regulations, and organisations responsible for managing cyber-related risks to public safety.

"The CAF provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible."

The National Cyber Security Centre

What are the Aims of the Cyber Assessment Framework?

The CAF is intended to be utilised to manage risk and improve overall cyber resilience and to improve organisations' ability to maintain essential functions in the face of an ever-evolving threat landscape.

The CAF framework is written primarily in terms of outcomes rather than a more usual compliance checklist.

With multiple ways to achieve these 'top-level' outcomes, rather than rigid rules, the NCSC advocates a principles-based approach. An approach which is generally considered more adaptable to the dynamic nature of cybersecurity and aligns with UK goal-based regulations.

The intent is not to create an exhaustive cybersecurity checklist, as organisations are best suited to understand their unique contexts. The NCSC encourages organisations to:

1. Understand the principles and their importance.
2. Interpret the principles for their specific context.
3. Compare current practices with the outcomes described in the principles, using guidance.
4. Identify and prioritise shortcomings based on organisational context. And
5. Implement prioritised remediation, guided by the provided recommendations.

Cyber Assessment Framework Objectives and Principles

The following is a general summary of the NCSC's Cyber Assessment Framework. For a complete description of the framework please consult the NCSC's official website.

The objectives and principles include:

Objective A: Managing Security Risk

A1 Governance

• Principle: The organisation has appropriate management policies and processes for the security of network and information systems.

• Description: Effective security is driven by organisational management, with clear governance structures, accountability, and 'risk appetite'. Senior management defines unacceptable impacts on business, allowing informed risk decisions at all levels.

• Relevant Standards:

• Risk Management Standards: ISO 27001, an Information Security Management System (ISMS), aids in governing cybersecurity risk.

• IEC 62443-2-1: Relevant for organisations responsible for essential functions in certain sectors, aligning cybersecurity risk with safety risk management practices.

A2 Risk Management

• Principle: The organisation identifies, assesses, and understands security risks to networks supporting essential functions, establishing an overall approach to risk management.

• Description: Organisations must identify and manage risks systematically. Threats from various sources require a good understanding of the threat landscape. Confidence in risk mitigations is gained through systematic processes, monitoring, and collaboration.

• Guidance:

• NCSC Risk Management Guidance: Recommends a system-based and component-driven approach for organisations responsible for essential functions.

• Risk Methods and Frameworks: Choose an approach aligned with business needs.

A3 Asset Management

• Principle: Everything necessary for the operation of essential functions, including data, people, systems, and supporting infrastructure, is determined and understood.

• Description: To manage security risks effectively, organisations need a clear understanding of service dependencies, including physical assets, software, data, staff, and utilities. Identification and recording of these elements are crucial.

• Guidance:

• ISO 27001/2: An ISMS, traditionally for information risk management, can be used for cybersecurity risks to essential functions.

• ISO 55001 - Asset Management: Aligns with ISO 27001, outlining requirements for a generic asset management system.

• ITIL: Recommends a staged approach to IT asset management, useful for improving management but considering assets beyond the corporate IT domain.

A4 Supply Chain

• Principle: The organisation understands and manages security risks to networks and information systems supporting essential functions arising from dependencies on external suppliers, ensuring appropriate measures are taken when using third-party services.

• Description: Organisations, even when relying on third parties like outsourced or cloud-based services, remain accountable for protecting essential functions. Contractual agreements should guarantee confidence in meeting all security requirements, regardless of whether the organisation or a third party operates the function.

• Guidance:

• Data Protection: Ensure the protection of shared data with third parties, safeguarding it from unauthorised access, modification, or deletion that could impact essential functions.

• Security Specification: Effectively specify the security properties of products or services procured from third parties, incorporating security requirements derived from the principles.

• Network Connections: Ensure network connections or data sharing with third parties do not introduce unmanaged vulnerabilities affecting security.

• Trustworthiness: Ensure third-party suppliers are trustworthy, managing malicious attempts to subvert the security of products or systems affecting essential functions.

Objective B: Protecting Against Cyber Attacks

B1 Service Protection Policies and Processes

• Principle: The organisation defines, implements, communicates, and enforces appropriate policies and processes directing its overall approach to securing systems and data supporting essential functions.

• Description: The organisation's approach to securing essential function networks and information systems should be articulated in comprehensive security policies and associated processes. They should be tailored to the intended recipients, considering the varied needs and perspectives of different stakeholders.

• Guidance:

• Organisational Security Policy: A high-level policy endorsed by senior management, outlining the overarching approach to governing security, managing risks, and expressing the organisation's aims for security.

• Supporting Policies: Lower-level policies controlling, directing, and communicating organisational security practice.

• Compliance Policies: Specific policies aligned with sector regulations, standards, etc., ensuring adherence to relevant compliance regimes (e.g., ISO/IEC 27001).

• People-Focused Approach:

• Recognise the human limits of compliance and associated costs to security behaviours.

• Understand how people work with systems and data, fostering security conversations with various stakeholders.

• Engage in personal interviews, staff surveys, and involve people in the design of processes and policies.

• Develop practical security policies and processes, reducing human effort required for compliance.

• Implementation and Communication:

• Communicate policies effectively to all who can impact system security.

• Utilise continued security conversations and staff awareness and training programs.

• Define suitable data and metrics before implementation to evaluate effectiveness.

• Improvement:

• Design policies to be adaptable, regularly reviewing them in light of security breaches for continuous improvement.

B2 Identity and Access Control

• Principle: The organisation understands, documents, and manages access to networks and information systems.

• Description: The organisation should have a clear understanding of who or what has authorisation to interact with essential function networks and information systems. Access rights should be carefully controlled, periodically reviewed, and removed when no longer needed. Users, devices, and systems must undergo appropriate verification, authentication, and authorisation before accessing data or services.

• Guidance:

• Identity and Access Management: Robust systems ensuring essential functions are not adversely affected by unauthorised access.

• Physical Security: Protect physical access to networks and information systems supporting essential functions.

B3 Data Security

• Principle: Data stored or electronically transmitted is protected from actions that may cause an adverse impact on essential functions.

• Description: Protection measures for data supporting essential functions must match associated risks. Prevent unauthorised access, modification, or deletion, addressing confidentiality, integrity, and availability (CIA) concerns. Protect data during transit, storage, and use. Identify and protect critical information that could aid attackers.

• Guidance:

• Design to Protect Data:

• Minimise copies of sensitive data, limit access, and deploy tested cryptographic suites.

• Use resilience measures like multiple network paths and backup systems.

• Apply NCSC principles for protecting bulk personal data to data supporting essential functions.

• Protecting Data in Transit:

• Use VPNs, TLS, or IPSec for encryption, protecting against interception and manipulation.

• Implement alternative communication links for critical data paths.

• Protecting Data at Rest:

• Identify storage locations, limit data quantity, and detail stored data on vulnerable devices.

• Encrypt storage devices and media, physically protect them, and secure backups.

• Protecting Data on Mobile Devices:

• Favor well-configured, business-owned devices, and monitor those accessing data.

• Ensure partners or suppliers apply adequate security controls to their devices.

• Secure Disposal:

• Sanitise media and operational equipment to securely dispose of data important to essential functions.

B4 System Security

• Principle: Protect critical network and information systems and technology critical for the operation of essential functions from cyber attacks.

• Description: Employ protective security measures to minimise opportunities for attackers to compromise the security of networks and information systems supporting essential functions. Address vulnerabilities arising from flaws, features, and user errors. Protect against software vulnerabilities by keeping software up-to-date and applying security patches. Limit functionality, carefully configure systems, and provide staff training to manage potential vulnerabilities.

• Guidance:

• System Design:

• Design systems to make compromise difficult, detectable, with critical services segregated into higher security zones.

• Reduce the attack surface and ensure a secured platform by default.

• Include a separate management layer, resilience, and recovery features.

• Configuration:

• Use baseline builds for consistent, secure platforms.

• Employ configuration management policies to control software installations and authorised devices.

• Maintain records of the "known good" configuration for recovery.

• Prevent users from changing settings affecting service security.

• Configure network devices to limit access to essential business operations.

• System Management:

• Manage routine system operations to support security.

• Ensure up-to-date technical documentation.

• Vulnerability Management:

• Manage flaws, features, and user errors to reduce the likelihood of vulnerabilities being accessed or exploited.

• Prevent exploitation by maintaining systems with the latest patches and trusted updates.

• Use segregation and access controls to limit exposure to vulnerabilities.

• Implement regular vulnerability assessments, penetration tests, and security scans.

B5 Resilient Networks and Systems

• Principle: Build resilience against cyber attacks into the design, implementation, operation, and management of systems supporting essential functions.

• Description: Ensure that essential functions are resilient to cyber attacks, incorporating technical protection measures and additional contingency capabilities. Maintain systems and administration devices to withstand attacks. Be prepared for significant disruption through business continuity and disaster recovery planning.

• Guidance:

• Preparation:

• Have business continuity and disaster recovery plans in place.

• Test plans through testing and scenario walk-throughs.

• Adjust security measures based on changes in risk.

• Maintenance and Repair:

• Maintain networks, information systems, and technologies to reduce the likelihood of failure or attack.

• Manage exceptions appropriately.

• Segregation:

• Segregate essential function networks from other business and external systems.

• Capacity:

• Understand and manage limitations of networks and systems to avoid resource overload.

• Diversity and Dependencies:

• Use diverse technologies and geographic locations for resilience.

• Manage external or lower-priority dependencies for continuation of essential functions.

• Working Backups:

• Maintain secured offline backups for hardware, data, and configurations.

• Consider alternative backups such as paper-based information and manual processes.

• Physical Resilience:

• Have policies and measures for physical and environmental security.

• Plan physical upgrades to avoid unplanned interruptions.

B6 Staff Awareness and Training

• Principle: Ensure staff have appropriate awareness, knowledge, and skills to contribute positively to the cybersecurity of essential functions.

• Description: Staff are crucial to an organisation's secure operation. Implement security awareness and training programs tailored to how people work with security. Foster a positive security culture where employees actively contribute to improving security.

• Guidance:

• Training and Awareness:

• Provide cyber security skills based on job roles and how people work with systems.

• Use various training methods, including briefings, online courses, blogs, and simulated cyber attacks.

• Security Culture:

• Create a positive security culture where individuals are aware of their role in maintaining security.

• Develop a long-term security culture vision endorsed by senior management.

• Communications:

• Actively engage with staff and communicate effectively about network and information system security.

• Promote a vision of a long-term security culture supported by senior management.

• Build on activities supporting positive safety culture, especially in safety-related essential functions.

Objective C: Protecting Against Cyber Attacks

C1 Security Monitoring

• Principle: Monitor the security status of networks and systems supporting essential functions to detect potential security problems and track the ongoing effectiveness of protective security measures.

• Description: Implement effective monitoring strategies, utilising tools and skilled analysis to identify indicators of compromise promptly. Ensure continuous operational security by reviewing and maintaining the effectiveness of security measures throughout the system or service lifecycle.

• Guidance:

• Known and Unknown Threats:

• Focus on detecting incidents or activities that could adversely impact essential functions.

• Be capable of identifying both known and unknown threats through automated tools and local system knowledge.

• Monitoring and Analysis Tools:

• Collect and aggregate logs from various sources, including web traffic, email traffic, IP connections, and host-based activities.

• Capture staff use of corporate systems to identify suspicious user behaviour.

• Compare collected logs against Indicators of Compromise to detect known threats.

• Choose appropriate tools to analyse and correlate network datasets, ensuring flexibility and training for staff.

• Governance, Roles, and Workflows:

• Form operational monitoring teams covering both security and performance-related monitoring.

• Include individuals with knowledge of the network, hardware, software, and data processing.

• Establish roles for investigators and managers, ensuring seamless collaboration with Incident Management.

• Regular Review and Updates:

• Evolve monitoring capabilities with business requirements, network changes, and evolving threats.

• Choose configurable tools that can handle new datasets, and ensure staff can adapt to changes.

C2 Proactive Security Event Discovery

• Principle: Detect malicious activity affecting or with the potential to affect essential functions, even when evading standard security solutions.

• Description: Detect attacks that might evade standard security tools by identifying less direct indicators of malicious activity. Examples include deviations from normal user interactions, unusual network traffic patterns, and signs of attack, such as lateral movement or privilege escalation.

• Guidance:

• Anomalous Events:

• Look beyond standard security tools for less direct indicators of malicious activity.

• Examples include deviations from normal user interactions, unusual network traffic patterns, and signs of attack like lateral movement.

• Building Alerts and Trip-Wires:

• Design alerts based on experience and reasoning about potential intrusions.

• Understand normal system behaviour and potential anomalies that may signify a malicious intrusion.

• Design with Proactive Security in Mind:

• Design networks and systems supporting essential functions with proactive security event discovery in mind.

Objective D: Minimising the Impact of Cyber Security Incidents

D1 Response and Recovery Planning

• Principle: Establish well-defined and tested incident management processes to ensure continuity of essential functions in the event of system or service failure.

• Description: Prepare for cyber incidents by putting in place mechanisms that minimise the impact on essential functions, such as DDoS protection, critical system redundancy, and backup processes. Consider mandatory reporting requirements around cyber security incidents.

• Guidance:

• Incident Response Plan:

• Ground incident response plans in thorough risk assessments.

• Prioritise essential functions and related assets.

• Link cyber incident response plans to other business response functions.

• Form a capable cyber response team with diverse skills and tools.

• Scenario Planning:

• Develop auditable and testable plans across various incident scenarios.

• Consider malware infections, denial of service, hacker infiltrations, insider incidents, system failures, and more.

• Integrate lessons learned and adapt plans based on changes to security functions.

• Governance and Reporting:

• Articulate clear governance frameworks and roles.

• Set reporting thresholds and standards for incidents.

• Include comprehensive containment, eradication, and recovery strategies.

• Exercises and Testing:

• Run exercises reflecting past experience, red-teaming, and threat intelligence.

D2 Lessons Learned

• Principle: Learn from incidents, address root causes, and take remedial action to improve the resilience of essential functions.

• Description: Understand the root causes of incidents and take actions to address systemic problems rather than narrow issues. Learn from incidents to enhance overall protective security and incident response plans.

• Guidance:

• Root Causes and Shortfall:

• Assess root causes and factors hindering standard recovery.

• Consider measures to prevent similar incidents in the future.

• Improve detection quality, system design, and response capabilities.

• Reporting Quality:

• Produce good-quality reporting during incident response and exercises.

• Ensure information sharing, governance, and clearly defined roles.

• Risk Reduction:

• Actively reduce risks associated with future incidents.

• Apply lessons learned to enhance system configuration, security monitoring, investigation procedures, and governance.