What is the Cyber Assessment Framework?
The Cyber Assessment Framework (CAF) is a collection of 14 guidelines produced by the United Kingdom National Cyber Security Centre (UK NCSC) aimed to support organisations in developing their cyber security systems. This is used in conjunction with the UK implementation of the EU Network and Information Systems Directive (NIS-D) to further protect Critical National Infrastructure (CNI); however the framework is designed in such a way that it can be applied to a wider range of organisations. The framework is broken down into four key objectives:
Managing Security Risks
Protecting Against Cyber Attacks
Detecting Cyber Security Events
Minimising the Impact of Cyber Security Incidents
Each of these objectives has several documents and subsections detailing the specifics of how an organisation can comply in order to best protect themselves against cyber security threats.
Why is it Important?
Year on year, more and more cyber attacks are being disclosed against National Infrastructure. Whether it be the Stuxnet virus that famously targeted the nuclear program of Iran, or the WANNACRY ransomware that shut down systems across a variety of companies including Nissan, Renault, FedEx, and even the British NHS; these attacks are becoming more intricate and aggressive and as such the British government have realised the importance of developing and progressing the cyber security of these companies.
This has resulted in the creation of the Cyber Assessment Framework, intended for organisations across both the CNI landscape, and the greater general public. Compliance with the CAF ensures a high degree of cyber resilience for critical infrastructure, and refers to each organisation’s ability to maintain operation of essential functions in the event of cyber emergencies. This phrasing was chosen to signify that there are some situations where there are unacceptable consequences. The aim of the CAF is to manage the risk of these situations in the event of a cyber attack. This is the first time that the following principles have been applied to both Information Technology and Operational Technologies under the NIS-D and as such has been a significant shakeup across CNI.
How Does it Work?
The Cyber Assessment Framework is divided into 4 main Objectives: Managing Security Risks; Protecting Against Cyber Attack; Detecting Cyber Security Events; and Minimising the Impact of Cyber Security Incidents. Each of these have their own guiding principles and associated subsections which detail criteria on how to fulfil them.
Managing Cyber Security Risks refers to the organisation “having appropriate management policies and processes in place to govern its approach to the security of network and information systems”. This objective is split as so:
Governance: Putting in place the policies and processes which govern your organisation’s approach to the security of network and information systems.
Risk Management: Identification, assessment and understanding of security risks. And the establishment of an overall organisational approach to risk management.
Asset Management: Determining and understanding all systems and/or services required to maintain or support essential functions.
Supply Chain: Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.
Objective B looks to tackle Protections against Cyber Attacks. The guiding principle for objective B is “Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber attack”. Sections are split as such:
Service Protection Policies and Processes: Defining and communicating appropriate organisational policies and processes to secure systems and data that support the operation of essential functions
Identity and Access Control: Understanding, documenting and controlling access to networks and information systems supporting essential functions.
Data Security: Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
System Security: Protecting critical network and information systems and technology from cyber attack.
Resilient Networks and Systems: Building resilience against cyber attack.
Staff awareness and training: Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Objective C focuses entirely on the detection of cyber security events, with a guiding principle of improving “Capabilities exist to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions”. Sections are split as such:
Security Monitoring: Monitoring to detect potential security problems and track the effectiveness of existing security measures.
Proactive Security Event Discovery: Detecting anomalous events in relevant network and information systems.
The Final Objective, objective D, focuses on Minimising the Impact of Cyber Security Incidents. It aims to ensure that “Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including the restoration of those functions where necessary”. Sections are split as such:
Response and Recovery Planning: Putting suitable incident management and mitigation processes in place.
Lessons Learned: Learning from incidents and implementing these lessons to improve the resilience of essential functions.
How can We Help?
Here at Awen, we appreciate how difficult a task the CAF can be, especially to those that have less experience with cyber security compliance. The documentation provided by the NCSC can be dense and difficult to comprehend and as such it can leave even the most experienced staff lost as to where to start.
Through the use of Profile, you will be able to generate a tailored CAF profile report as well as being able to add supporting evidence for each guideline and indicator where applicable. Each guideline has been examined and extracted into a series of clear and intuitive questions. Companies can assign several staff members to individual areas, and collaborative reports can be generated. In addition to Profile, our flagship product Dot can assist with initial asset discovery and risk assessment in addition to robust ongoing maintenance of your systems and networks - please get in touch for a no obligation consultation.