diff --git a/backend/library/libraries/ncsc-caf-3.2.yaml b/backend/library/libraries/ncsc-caf-3.2.yaml new file mode 100644 index 000000000..b30970be3 --- /dev/null +++ b/backend/library/libraries/ncsc-caf-3.2.yaml @@ -0,0 +1,1932 @@ +urn: urn:intuitem:risk:library:ncsc-caf-3.2 +locale: en +ref_id: ncsc-caf-3.2 +name: Cyber Assessment Framework +description: 'National Cyber Security Centre - Cyber Assessment Framework + + https://www.ncsc.gov.uk/collection/cyber-assessment-framework' +copyright: NCSC https://www.ncsc.gov.uk/collection/cyber-assessment-framework +version: 1 +provider: NCSC +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ncsc-caf-3.2 + ref_id: ncsc-caf-3.2 + name: Cyber Assessment Framework + description: 'National Cyber Security Centre - Cyber Assessment Framework + + https://www.ncsc.gov.uk/collection/cyber-assessment-framework' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + assessable: false + depth: 1 + ref_id: A + name: Managing security risk + description: Appropriate organisational structures, policies, processes and + procedures in place to understand, assess and systematically manage security + risks to the network and information systems supporting essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A1 + name: Governance + description: The organisation has appropriate management policies, processes + and procedures in place to govern its approach to the security of network + and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.a + name: Board Direction + description: You have effective organisational security management led at board + level and articulated clearly in corresponding policies. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.1 + description: Your organisation's approach and policy relating to the security + of network and information systems supporting the operation of your essential + function(s) are owned and managed at board-level. These are communicated, + in a meaningful way, to risk management decision-makers across the organisation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.2 + description: Regular board-level discussions on the security of network and + information systems supporting the operation of your essential function(s) + take place, based on timely and accurate information and informed by expert + guidance. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.3 + description: There is a board-level individual who has overall accountability + for the security of network and information systems and drives regular discussion + at board-level. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.4 + description: Direction set at board-level is translated into effective organisational + practices that direct and control the security of the network and information + systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.b + name: Roles and Responsibilities + description: Your organisation has established roles and responsibilities for + the security of network and information systems at all levels, with clear + and well-understood channels for communicating and escalating risks. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.1 + description: Key roles and responsibilities for the security of network and + information systems supporting your essential function(s) have been identified. + These are reviewed regularly to ensure they remain fit for purpose. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.2 + description: Appropriately capable and knowledgeable staff fill those roles + and are given the time, authority, and resources to carry out their duties. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.3 + description: There is clarity on who in your organisation has overall accountability + for the security of the network and information systems supporting your essential + function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.c + name: Decision-making + description: You have senior-level accountability for the security of network + and information systems, and delegate decision-making authority appropriately + and effectively. Risks to network and information systems related to the operation + of your essential function(s) are considered in the context of other organisational + risks. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.1 + description: Senior management have visibility of key risk decisions made throughout + the organisation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.2 + description: Risk management decision-makers understand their responsibilities + for making effective and timely decisions in the context of the risk appetite + regarding the essential function(s), as set by senior management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.3 + description: Risk management decision-making is delegated and escalated where + necessary, across the organisation, to people who have the skills, knowledge, + tools and authority they need. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.4 + description: Risk management decisions are regularly reviewed to ensure their + continued relevance and validity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A2 + name: Risk Management + description: The organisation takes appropriate steps to identify, assess and + understand security risks to the network and information systems supporting + the operation of essential functions. This includes an overall organisational + approach to risk management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + ref_id: A2.a + name: Risk Management Process + description: Your organisation has effective internal processes for managing + risks to the security of network and information systems related to the operation + of your essential function(s) and communicating associated activities. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.1 + description: Your organisational process ensures that security risks to network + and information systems relevant to essential function(s) are identified, + analysed, prioritised, and managed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.2 + description: Your approach to risk is focused on the possibility of adverse + impact to your essential function(s), leading to a detailed understanding + of how such impact might arise as a consequence of possible attacker actions + and the security properties of your network and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.3 + description: Your risk assessments are based on a clearly understood set of + threat assumptions, informed by an up-to-date understanding of security threats + to your essential function(s) and your sector. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.4 + description: Your risk assessments are informed by an understanding of the vulnerabilities + in the network and information systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.5 + description: The output from your risk management process is a clear set of + security requirements that will address the risks in line with your organisational + approach to security. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.6 + description: Significant conclusions reached in the course of your risk management + process are communicated to key security decision-makers and accountable individuals. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.7 + description: Your risk assessments are dynamic and updated in the light of relevant + changes which may include technical changes to network and information systems, + change of use and new threat information. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.8 + description: The effectiveness of your risk management process is reviewed regularly, + and improvements made as required. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.9 + description: You perform detailed threat analysis and understand how this applies + to your organisation in the context of the threat to your sector and the wider + CNI. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + ref_id: A2.b + name: Assurance + description: You have gained confidence in the effectiveness of the security + of your technology, people, and processes relevant to your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.1 + description: "You validate that the security measures in place to protect the\ + \ network and information systems\Lare effective and remain effective for\ + \ the lifetime over which they are needed." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.2 + description: You understand the assurance methods available to you and choose + appropriate methods to gain confidence in the security of essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.3 + description: "Your confidence in the security as it relates to your technology,\ + \ people, and processes can be\Ljustified to, and verified by, a third party." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.4 + description: Security deficiencies uncovered by assurance activities are assessed, + prioritised and remedied when necessary in a timely and effective way. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.5 + description: The methods used for assurance are reviewed to ensure they are + working as intended and remain the most appropriate method to use. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A3 + name: Asset Management + description: Everything required to deliver, maintain or support network and + information systems necessary for the operation of essential functions is + determined and understood. This includes data, people and systems, as well + as any supporting infrastructure (such as power or cooling). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 + ref_id: A3.a + name: Asset Management + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.1 + description: All assets relevant to the secure operation of essential function(s) + are identified and inventoried (at a suitable level of detail). The inventory + is kept up-to-date. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.2 + description: Dependencies on supporting infrastructure (e.g. power, cooling + etc) are recognised and recorded. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.3 + description: You have prioritised your assets according to their importance + to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.4 + description: You have assigned responsibility for managing all assets, including + physical assets, relevant to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.5 + description: Assets relevant to the essential function(s) are managed with cyber + security in mind throughout their lifecycle, from creation through to eventual + decommissioning or disposal. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A4 + name: Supply Chain + description: The organisation understands and manages security risks to network + and information systems supporting the operation of essential functions that + arise as a result of dependencies on external suppliers. This includes ensuring + that appropriate measures are employed where third party services are used. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 + ref_id: A4.a + name: Supply Chain + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.1 + description: "You have a deep understanding of your supply chain, including\ + \ sub- contractors and the wider risks it faces. You consider factors such\ + \ as supplier\u2019s partnerships, competitors, nationality and other organisations\ + \ with which they sub- contract. This informs your risk assessment and procurement\ + \ processes." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.2 + description: Your approach to supply chain risk management considers the risks + to your essential function(s) arising from supply chain subversion by capable + and well-resourced attackers. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.3 + description: You have confidence that information shared with suppliers that + is essential to the operation of your function(s) is appropriately protected + from sophisticated attacks. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.4 + description: You understand which contracts are relevant and you include appropriate + security obligations in relevant contracts. You have a proactive approach + to contract management which may include a contract management plan for relevant + contracts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.5 + description: Customer / supplier ownership of responsibilities is laid out in + contracts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.6 + description: All network connections and data sharing with third parties are + managed effectively and proportionately. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.7 + description: When appropriate, your incident management process and that of + your suppliers provide mutual support in the resolution of incidents. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + assessable: false + depth: 1 + ref_id: B + name: Protecting against cyber attack + description: Proportionate security measures are in place to protect the network + and information systems supporting essential functions from cyber attack. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B1 + name: Service Protection Policies, Processes and Procedures + description: The organisation defines, implements, communicates and enforces + appropriate policies, processes and procedures that direct its overall approach + to securing systems and data that support operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + ref_id: B1.a + name: Policy, Process and Procedure Development + description: You have developed and continue to improve a set of cyber security + and resilience policies, processes and procedures that manage and mitigate + the risk of adverse impact on your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.1 + description: You fully document your overarching security governance and risk + management approach, technical security practice and specific regulatory compliance. + Cyber security is integrated and embedded throughout policies, processes and + procedures and key performance indicators are reported to your executive management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.2 + description: "Your organisation\u2019s policies, processes and procedures are\ + \ developed to be practical, usable and appropriate for your essential function(s)\ + \ and your technologies." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.3 + description: Policies, processes and procedures that rely on user behaviour + are practical, appropriate and achievable. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.4 + description: You review and update policies, processes and procedures at suitably + regular intervals to ensure they remain relevant. This is in addition to reviews + following a major cyber security incident. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.5 + description: Any changes to the essential function(s) or the threat it faces + triggers a review of policies, processes and procedures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.6 + description: Your systems are designed so that they remain secure even when + user security policies, processes and procedures are not always followed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + ref_id: B1.b + name: Policy, Process and Procedure Implementation + description: You have successfully implemented your security policies, processes + and procedures and can demonstrate the security benefits achieved. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.1 + description: All your policies, processes and procedures are followed, their + correct application and security effectiveness is evaluated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.2 + description: Your policies, processes and procedures are integrated with other + organisational policies, processes and procedures, including HR assessments + of individuals' trustworthiness. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.3 + description: Your policies, processes and procedures are effectively and appropriately + communicated across all levels of the organisation resulting in good staff + awareness of their responsibilities. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.4 + description: Appropriate action is taken to address all breaches of policies, + processes and procedures with potential to adversely impact the essential + function(s) including aggregated breaches. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B2 + name: Identity and Access Control + description: The organisation understands, documents and manages access to network + and information systems supporting the operation of essential functions. Users + (or automated functions) that can access data or systems are appropriately + verified, authenticated and authorised. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.a + name: Identity Verification, Authentication and Authorisation + description: You robustly verify, authenticate and authorise access to the network + and information systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.1 + description: "Your process of initial identity verification is robust enough\ + \ to provide a high level of confidence of a user\u2019s identity profile\ + \ before allowing an authorised user access to network and information systems\ + \ that support your essential function(s)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.2 + description: Only authorised and individually authenticated users can physically + access and logically connect to your network or information systems on which + your essential function(s) depends. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.3 + description: The number of authorised users and systems that have access to + all your network and information systems supporting the essential function(s) + is limited to the minimum necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.4 + description: "You use additional authentication mechanisms, such as multi-factor\L\ + (MFA), for all user access, including remote access, to all network and information\ + \ systems that operate or support your essential function(s)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.5 + description: The list of users and systems with access to network and information + systems supporting and delivering the essential function(s) is reviewed on + a regular basis, at least every six months. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.6 + description: Your approach to authenticating users, devices and systems follows + up to date best practice. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.b + name: Device Management + description: You fully know and have trust in the devices that are used to access + your networks, information systems and data that support your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.1 + description: All privileged operations performed on your network and information + systems supporting your essential function(s) are conducted from highly trusted + devices, such as Privileged Access Workstations, dedicated solely to those + operations. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.2 + description: You either obtain independent and professional assurance of the + security of third-party devices or networks before they connect to your network + and information systems, or you only allow third-party devices or networks + that are dedicated to supporting your network and information systems to connect. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.3 + description: You perform certificate-based device identity management and only + allow known devices to access systems necessary for the operation of your + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.4 + description: You perform regular scans to detect unknown devices and investigate + any findings. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.c + name: Privileged User Management + description: You closely manage privileged user access to network and information + systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.1 + description: Privileged user access to network and information systems supporting + your essential function(s) is carried out from dedicated separate accounts + that are closely monitored and managed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.2 + description: The issuing of temporary, time- bound rights for privileged user + access and / or external third- party support access is in place. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.3 + description: Privileged user access rights are regularly reviewed and always + updated as part of your joiners, movers and leavers process. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.4 + description: All privileged user activity is routinely reviewed, validated and + recorded for offline analysis and investigation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.d + name: Identity and Access Management (IdAM) + description: You closely manage and maintain identity and access control for + users, devices and systems accessing the network and information systems supporting + your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.1 + description: You follow a robust procedure to verify each user and issue the + minimum required access rights, and the application of the procedure is regularly + audited. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.2 + description: User access rights are reviewed both when people change roles via + your joiners, leavers and movers process and at regular intervals - at least + annually. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.3 + description: All user, device and systems access to the systems supporting the + essential function(s) is logged and monitored. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.4 + description: You regularly review access logs and correlate this data with other + access records and expected activity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.5 + description: Attempts by unauthorised users, devices or systems to connect to + the systems supporting the essential function(s) are alerted, promptly assessed + and investigated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B3 + name: Data Security + description: Data stored or transmitted electronically is protected from actions + such as unauthorised access, modification, or deletion that may cause an adverse + impact on essential functions. Such protection extends to the means by which + authorised users, devices and systems access critical data necessary for the + operation of essential functions. It also covers information that would assist + an attacker, such as design details of network and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.a + name: Understanding Data + description: You have a good understanding of data important to the operation + of your essential function(s), where it is stored, where it travels and how + unavailability or unauthorised access, modification or deletion would adversely + impact the essential function(s). This also applies to third parties storing + or accessing data important to the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.1 + description: You have identified and catalogued all the data important to the + operation of the essential function(s), or that would assist an attacker. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.2 + description: You have identified and catalogued who has access to the data important + to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.3 + description: You maintain a current understanding of the location, quantity + and quality of data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.4 + description: You take steps to remove or minimise unnecessary copies or unneeded + historic data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.5 + description: You have identified all mobile devices and media that may hold + data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.6 + description: You maintain a current understanding of the data links used to + transmit data that is important to your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.7 + description: You understand the context, limitations and dependencies of your + important data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.8 + description: You understand and document the impact on your essential function(s) + of all relevant scenarios, including unauthorised data access, modification + or deletion, or when authorised users are unable to appropriately access this + data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.9 + description: You validate these documented impact statements regularly, at least + annually. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.b + name: Data in Transit + description: You have protected the transit of data important to the operation + of your essential function(s). This includes the transfer of data to third + parties. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.1 + description: You have identified and protected (effectively and proportionately) + all the data links that carry data important to the operation of your essential + function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.2 + description: You apply appropriate physical and / or technical means to protect + data that travels over non-trusted or openly accessible carriers, with justified + confidence in the robustness of the protection applied. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.3 + description: Suitable alternative transmission paths are available where there + is a significant risk of impact on the operation of the essential function(s) + due to resource limitation (e.g. transmission equipment or function failure, + or important data being blocked or jammed). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.c + name: Stored Data + description: You have protected stored soft and hard copy data important to + the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.1 + description: All copies of data important to the operation of your essential + function(s) are necessary. Where this important data is transferred to less + secure systems, the data is provided with limited detail and / or as a read-only + copy. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.2 + description: You have applied suitable physical and / or technical means to + protect this important stored data from unauthorised access, modification + or deletion. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.3 + description: If cryptographic protections are used you apply suitable technical + and procedural means, and you have justified confidence in the robustness + of the protection applied. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.4 + description: You have suitable, secured backups of data to allow the operation + of the essential function(s) to continue should the original data not be available. + This may include off- line or segregated backups, or appropriate alternative + forms such as paper copies. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.5 + description: Necessary historic or archive data is suitably secured in storage. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.d + name: Mobile Data + description: You have protected data important to the operation of your essential + function(s) on mobile devices. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.1 + description: Mobile devices that hold data that is important to the operation + of the essential function(s) are catalogued, are under your organisation's + control and configured according to best practice for the platform, with appropriate + technical and procedural policies in place. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.2 + description: Your organisation can remotely wipe all mobile devices holding + data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.3 + description: You have minimised this data on these mobile devices. Some data + may be automatically deleted off mobile devices after a certain period. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.e + name: Media / Equipment Sanitisation + description: Before reuse and / or disposal you appropriately sanitise devices, + equipment and removable media holding data important to the operation of your + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + ref_id: B3.e.1 + description: You catalogue and track all devices that contain data important + to the operation of the essential function(s) (whether a specific storage + device or one with integral storage). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + ref_id: B3.e.2 + description: Data important to the operation of the essential function(s) is + removed from all devices, equipment and removable media before reuse and / + or disposal using an assured product or service. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B4 + name: System Security + description: Network and information systems and technology critical for the + operation of essential functions are protected from cyber attack. An organisational + understanding of risk to essential functions informs the use of robust and + reliable protective security measures to effectively limit opportunities for + attackers to compromise networks and systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.a + name: Secure by Design + description: You design security into the network and information systems that + support the operation of your essential function(s). You minimise their attack + surface and ensure that the operation of your essential function(s) should + not be impacted by the exploitation of any single vulnerability. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.1 + description: You employ appropriate expertise to design network and information + systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.2 + description: Your network and information systems are segregated into appropriate + security zones (e.g. systems supporting the essential function(s) are segregated + in a highly trusted, more secure zone). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.3 + description: The network and information systems supporting your essential function(s) + are designed to have simple data flows between components to support effective + security monitoring. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.4 + description: The network and information systems supporting your essential function(s) + are designed to be easy to recover. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.5 + description: Content-based attacks are mitigated for all inputs to network and + information systems that affect the essential function(s) (e.g. via transformation + and inspection). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.b + name: Secure Configuration + description: You securely configure the network and information systems that + support the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.1 + description: You have identified, documented and actively manage (e.g. maintain + security configurations, patching, updating according to good practice) the + assets that need to be carefully configured to maintain the security of the + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.2 + description: All platforms conform to your secure, defined baseline build, or + the latest known good configuration version for that environment. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.3 + description: You closely and effectively manage changes in your environment, + ensuring that network and system configurations are secure and documented. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.4 + description: You regularly review and validate that your network and information + systems have the expected, secure settings and configuration. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.5 + description: Only permitted software can be installed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.6 + description: Standard users are not able to change settings that would impact + security or the business operation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.7 + description: If automated decision-making technologies are in use, their operation + is well understood, and decisions can be replicated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.8 + description: Generic, shared, default name and built-in accounts have been removed + or disabled. Where this is not possible, credentials to these accounts have + been changed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.c + name: Secure Management + description: You manage your organisation's network and information systems + that support the operation of your essential function(s) to enable and maintain + security. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.1 + description: Your systems and devices supporting the operation of the essential + function(s) are only administered or maintained by authorised privileged users + from highly trusted devices, such as Privileged Access Workstations, dedicated + solely to those operations. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.2 + description: You regularly review and update technical knowledge about network + and information systems, such as documentation and network diagrams, and ensure + they are securely stored. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.3 + description: You prevent, detect and remove malware, and unauthorised software. + You use technical, procedural and physical measures as necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.d + name: Vulnerability Management + description: You manage known vulnerabilities in your network and information + systems to prevent adverse impact on your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.1 + description: You maintain a current understanding of the exposure of your essential + function(s) to publicly-known vulnerabilities. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.2 + description: Announced vulnerabilities for all software packages, network and + information systems used to support your essential function(s) are tracked, + prioritised and mitigated (e.g. by patching) promptly. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.3 + description: You regularly test to fully understand the vulnerabilities of the + network and information systems that support the operation of your essential + function(s) and verify this understanding with third-party testing. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.4 + description: You maximise the use of supported software, firmware and hardware + in your network and information systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B5 + name: Resilient Networks and Systems + description: The organisation builds resilience against cyber attack and system + failure into the design, implementation, operation and management of systems + that support the operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.a + name: Resilience Preparation + description: You are prepared to restore the operation of your essential function(s) + following adverse impact. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + ref_id: B5.a.1 + description: "You have business continuity and disaster recovery plans that\ + \ have been tested for practicality, effectiveness and completeness. Appropriate\ + \ use is made\Lof different test methods (e.g. manual fail-over, table-top\ + \ exercises, or red-teaming)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + ref_id: B5.a.2 + description: You use your security awareness and threat intelligence sources + to identify new or heightened levels of risk, which result in immediate and + potentially temporary security measures to enhance the security of your network + and information systems (e.g. in response to a widespread outbreak of very + damaging malware). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.b + name: Design for Resilience + description: You design the network and information systems supporting your + essential function(s) to be resilient to cyber security incidents. Systems + are appropriately segregated and resource limitations are mitigated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.1 + description: Network and information systems supporting the operation of your + essential function(s) are segregated from other business and external systems + by appropriate technical and physical means (e.g. separate network and system + infrastructure with independent user administration). Internet services are + not accessible from network and information systems supporting the essential + function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.2 + description: You have identified and mitigated all resource limitations (e.g. + bandwidth limitations and single network paths). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.3 + description: "You have identified and mitigated any geographical constraints\ + \ or weaknesses. (e.g. systems that your essential function(s) depends upon\L\ + are replicated in another location, important network connectivity has alternative\ + \ physical paths and service providers)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.4 + description: You review and update assessments of dependencies, resource and + geographical limitations and mitigations when necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.c + name: Backups + description: You hold accessible and secured current backups of data and information + needed to recover operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + ref_id: B5.c.1 + description: Your comprehensive, automatic and tested technical and procedural + backups are secured at centrally accessible or secondary sites to recover + from an extreme event. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + ref_id: B5.c.2 + description: Backups of all important data and information needed to recover + the essential function(s) are made, tested, documented and routinely reviewed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B6 + name: Staff Awareness and Training + description: Staff have appropriate awareness, knowledge and skills to carry + out their organisational roles effectively in relation to the security of + network and information systems supporting the operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + ref_id: B6.a + name: Cyber Security Culture + description: You develop and maintain a positive cyber security culture. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.1 + description: Your executive management clearly and effectively communicates + the organisation's cyber security priorities and objectives to all staff. + Your organisation displays positive cyber security attitudes, behaviours and + expectations. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.2 + description: People in your organisation raising potential cyber security incidents + and issues are treated positively. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.3 + description: Individuals at all levels in your organisation routinely report + concerns or issues about cyber security and are recognised for their contribution + to keeping the organisation secure. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.4 + description: Your management is seen to be committed to and actively involved + in cyber security. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.5 + description: Your organisation communicates openly about cyber security, with + any concern being taken seriously. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.6 + description: People across your organisation participate in cyber security activities + and improvements, building joint ownership and bringing knowledge of their + area of expertise. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + ref_id: B6.b + name: Cyber Security Training + description: The people who support the operation of your essential function(s) + are appropriately trained in cyber security. A range of approaches to cyber + security training, awareness and communications are employed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.1 + description: All people in your organisation, from the most senior to the most + junior, follow appropriate cyber security training paths. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.2 + description: Each individuals cyber security training is tracked and refreshed + at suitable intervals. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.3 + description: You routinely evaluate your cyber security training and awareness + activities to ensure they reach the widest audience and are effective. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.4 + description: You make cyber security information and good practice guidance + easily accessible, widely available and you know it is referenced and used + within your organisation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + assessable: false + depth: 1 + ref_id: C + name: Detecting cyber security events + description: Capabilities exist to ensure security defences remain effective + and to detect cyber security events affecting, or with the potential to affect, + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + ref_id: C1 + name: Security Monitoring + description: The organisation monitors the security status of the network and + information systems supporting the operation of essential functions in order + to detect potential security problems and to track the ongoing effectiveness + of protective security measures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.a + name: Monitoring Coverage + description: The data sources that you include in your monitoring allow for + timely identification of security events which might affect the operation + of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.1 + description: Monitoring is based on an understanding of your networks, common + cyber attack methods and what you need awareness of in order to detect potential + security incidents that could affect the operation of your essential function(s) + (e.g. presence of malware, malicious emails, user policy violations). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.2 + description: Your monitoring data provides enough detail to reliably detect + security incidents that could affect the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.3 + description: You easily detect the presence or absence of IoCs on your essential + function(s), such as known malicious command and control signatures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.4 + description: Extensive monitoring of user activity in relation to the operation + of your essential function(s) enables you to detect policy violations and + an agreed list of suspicious or undesirable behaviour. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.5 + description: You have extensive monitoring coverage that includes host-based + monitoring and network gateways. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.6 + description: All new systems are considered as potential monitoring data sources + to maintain a comprehensive monitoring capability. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.b + name: Securing Logs + description: You hold log data securely and grant appropriate access only to + accounts with business a need. No system or user should ever need to modify + or delete master copies of log data within an agreed retention period, after + which it should be deleted. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.1 + description: The integrity of log data is protected, or any modification is + detected and attributed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.2 + description: The logging architecture has mechanisms, policies, processes and + procedures to ensure that it can protect itself from threats comparable to + those it is trying to identify. This includes protecting the essential function(s) + itself, and the data within it. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.3 + description: Log data analysis and normalisation is only performed on copies + of the data keeping the master copy unaltered. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.4 + description: Log data is synchronised, using an accurate common time source, + so that separate datasets can be correlated in different ways. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.5 + description: Access to log data is limited to those with business need and no + others. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.6 + description: All actions involving all log data (e.g. copying, deleting, modifying + or viewing) can be traced back to a unique user. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.7 + description: Legitimate reasons for accessing log data are given in use policies. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.c + name: Generating Alerts + description: Evidence of potential security incidents contained in your monitoring + data is reliably identified and triggers alerts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.1 + description: Log data is enriched with other network knowledge and data when + investigating certain suspicious activity or alerts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.2 + description: A wide range of signatures and indicators of compromise is used + for investigations of suspicious activity and alerts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.3 + description: Alerts can be easily resolved to network assets using knowledge + of networks and systems. The resolution of these alerts is performed in almost + real time. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.4 + description: Security alerts relating to all essential function(s) are prioritised + and this information is used to support incident management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.5 + description: Logs are reviewed almost continuously, in real time. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.6 + description: Alerts are tested to ensure that they are generated reliably and + that it is possible to distinguish genuine security incidents from false alarms. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.d + name: Identifying Security Incidents + description: You contextualise alerts with knowledge of the threat and your + systems, to identify those security incidents that require some form of response. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.1 + description: "You have selected threat intelligence sources or services using\ + \ risk-based and threat- informed decisions based\Lon your business needs\ + \ and sector (e.g. vendor reporting and patching, strong anti-virus providers,\ + \ sector and community-based infoshare, special interest groups)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.2 + description: You apply all new signatures and IoCs within a reasonable (risk-based) + time of receiving them. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.3 + description: You receive signature updates for all your protective technologies + (e.g. AV, IDS). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.4 + description: You track the effectiveness of your intelligence feeds and actively + share feedback on the usefulness of IoCs and any other indicators with the + threat community (e.g. sector partners, threat intelligence providers, government + agencies). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.e + name: Monitoring Tools and Skills + description: Monitoring staff skills, tools and roles, including any that are + outsourced, should reflect governance and reporting requirements, expected + threats and the complexities of the network or system data they need to use. + Monitoring staff have knowledge of the essential function(s) they need to + protect. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.1 + description: You have monitoring staff, who are responsible for the analysis, + investigation and reporting of monitoring alerts covering both security and + performance. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.2 + description: Monitoring staff have defined roles and skills that cover all parts + of the monitoring and investigation process. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.3 + description: Monitoring staff follow policies, processes and procedures that + address all governance reporting requirements, internal and external. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.4 + description: Monitoring staff are empowered to look beyond the fixed process + to investigate and understand non-standard threats, by developing their own + investigative techniques and making new use of data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.5 + description: Your monitoring tools make use of all log data collected to pinpoint + activity within an incident. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.6 + description: Monitoring staff and tools drive and shape new log data collection + and can make wide use of it. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.7 + description: Monitoring staff are aware of the operation of essential function(s) + and related assets and can identify and prioritise alerts or investigations + that relate to them. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + ref_id: C2 + name: Proactive Security Event Discovery + description: The organisation detects, within network and information systems, + malicious activity affecting, or with the potential to affect, the operation + of essential functions even when the activity evades standard signature based + security prevent/detect solutions (or when standard solutions are not deployable). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + ref_id: C2.a + name: System Abnormalities for Attack Detection + description: You define examples of abnormalities in system behaviour that provide + practical ways of detecting malicious activity that is otherwise hard to identify. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.1 + description: Normal system behaviour is fully understood to such an extent that + searching for system abnormalities is a potentially effective way of detecting + malicious activity (e.g. You fully understand which systems should and should + not communicate and when). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.2 + description: System abnormality descriptions from past attacks and threat intelligence, + on yours and other networks, are used to signify malicious activity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.3 + description: The system abnormalities you search for consider the nature of + attacks likely to impact on the network and information systems supporting + the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.4 + description: The system abnormality descriptions you use are updated to reflect + changes in your network and information systems and current threat intelligence. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + ref_id: C2.b + name: Proactive Attack Discovery + description: You use an informed understanding of more sophisticated attack + methods and of normal system behaviour to monitor proactively for malicious + activity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + ref_id: C2.b.1 + description: You routinely search for system abnormalities indicative of malicious + activity on the network and information systems supporting the operation of + your essential function(s), generating alerts based on the results of such + searches. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + ref_id: C2.b.2 + description: You have justified confidence in the effectiveness of your searches + for system abnormalities indicative of malicious activity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + assessable: false + depth: 1 + ref_id: D + name: Minimising the impact of cyber security incidents + description: Capabilities exist to minimise the adverse impact of a cyber security + incident on the operation of essential functions, including the restoration + of those function(s) where necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + ref_id: D1 + name: Response and Recovery Planning + description: There are well-defined and tested incident management processes + in place, that aim to ensure continuity of essential function(s) in the event + of system or service failure. Mitigation activities designed to contain or + limit the impact of compromise are also in place. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.a + name: Response Plan + description: You have an up-to-date incident response plan that is grounded + in a thorough risk assessment that takes account of your essential function(s) + and covers a range of incident scenarios. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.1 + description: Your incident response plan is based on a clear understanding of + the security risks to the network and information systems supporting your + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.2 + description: Your incident response plan is comprehensive (i.e. covers the complete + lifecycle of an incident, roles and responsibilities, and reporting) and covers + likely impacts of both known attack patterns and of possible attacks, previously + unseen. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.3 + description: Your incident response plan is documented and integrated with wider + organisational business plans and supply chain response plans, as well as + dependencies on supporting infrastructure (e.g. power, cooling etc). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.4 + description: Your incident response plan is communicated and understood by the + business areas involved with the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.b + name: Response and Recovery Capability + description: You have the capability to enact your incident response plan, including + effective limitation of impact on the operation of your essential function(s). + During an incident, you have access to timely information on which to base + your response decisions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.1 + description: You understand the resources that will likely be needed to carry + out any required response activities, and arrangements are in place to make + these resources available. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.2 + description: You understand the types of information that will likely be needed + to inform response decisions and arrangements are in place to make this information + available. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.3 + description: Your response team members have the skills and knowledge required + to decide on the response actions necessary to limit harm, and the authority + to carry them out. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.4 + description: Key roles are duplicated, and operational delivery knowledge is + shared with all individuals involved in the operations and recovery of the + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.5 + description: Back-up mechanisms are available that can be readily activated + to allow continued operation of your essential function(s), although possibly + at a reduced level, if primary network and information systems fail or are + unavailable. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.6 + description: "Arrangements exist to augment your organisation\u2019s incident\ + \ response capabilities with external support if necessary (e.g. specialist\ + \ cyber incident responders)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.c + name: Testing and Exercising + description: Your organisation carries out exercises to test response plans, + using past incidents that affected your (and other) organisation, and scenarios + that draw on threat intelligence and your risk assessment. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.1 + description: Exercise scenarios are based on incidents experienced by your and + other organisations or are composed using experience or threat intelligence. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.2 + description: Exercise scenarios are documented, regularly reviewed, and validated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.3 + description: Exercises are routinely run, with the findings documented and used + to refine incident response plans and protective security, in line with the + lessons learned. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.4 + description: Exercises test all parts of your response cycle relating to your + essential function(s) (e.g. restoration of normal function(s) levels). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + ref_id: D2 + name: Lessons Learned + description: When an incident occurs, steps are taken to understand its root + causes and to ensure appropriate remediating action is taken to protect against + future incidents. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + ref_id: D2.a + name: Incident Root Cause Analysis + description: When an incident occurs, steps must be taken to understand its + root causes and ensure appropriate remediating action is taken. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.1 + description: Root cause analysis is conducted routinely as a key part of your + lessons learned activities following an incident. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.2 + description: Your root cause analysis is comprehensive, covering organisational + process issues, as well as vulnerabilities in your networks, systems or software. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.3 + description: All relevant incident data is made available to the analysis team + to perform root cause analysis. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + ref_id: D2.b + name: Using Incidents to Drive Improvements + description: Your organisation uses lessons learned from incidents to improve + your security measures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.1 + description: "You have a documented incident review process/policy which ensures\ + \ that lessons learned from each incident are identified, captured,\Land acted\ + \ upon." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.2 + description: Lessons learned cover issues with reporting, roles, governance, + skills and organisational processes as well as technical aspects of network + and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.3 + description: You use lessons learned to improve security measures, including + updating and retesting response plans when necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.4 + description: Security improvements identified as a result of lessons learned + are prioritised, with the highest priority improvements completed quickly. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.5 + description: Analysis is fed to senior management and incorporated into risk + management and continuous improvement. diff --git a/tools/ncsc/ncsc-caf-3.2.xlsx b/tools/ncsc/ncsc-caf-3.2.xlsx new file mode 100644 index 000000000..520853ff6 Binary files /dev/null and b/tools/ncsc/ncsc-caf-3.2.xlsx differ