Guidance

CAF - Objective A

Created:  30 Apr 2018
Updated:  30 Apr 2018
Indicators of Good Practice for Objective A

A1 Governance

Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services.

Principle

The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems.

A1.a Board direction

You have effective organisational security management led at board level and articulated clearly in corresponding policies.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

The security of network and information systems related to the delivery of essential services is not discussed or reported on regularly at board-level.

Board-level discussions on the security of networks and information systems are based on partial or out-of-date information, without the benefit of expert guidance.

The security of networks and information systems supporting your essential services is not driven effectively by the direction set at board level.

Senior management or other pockets of the organisation consider themselves exempt from some policies, or expect special accommodations to be made.

 

Your organisation's approach and policy relating to the security of networks and information systems supporting the delivery of essential services are set and managed at board level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation.

Regular board discussions on the security of network and information systems supporting the delivery of your essential service take place, based on timely and accurate information and informed by expert guidance.

There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.

Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential service.

 

A1.b Roles and responsibilities

Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

Key roles are missing, left vacant, or fulfilled on an ad-hoc or informal basis.

Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.

Staff are unsure what their responsibilities are for the security of the essential service.

 

Necessary roles and responsibilities for the security of networks and information systems supporting your essential service have been identified.  These are reviewed periodically to ensure they remain fit for purpose.

Appropriately capable and knowledgeable  staff fill those roles and are given the time, authority, and resources to carry out their duties.

There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential service.

A1.c Decision-making

You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the delivery of essential services are considered in the context of other organisational risks.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

What should be relatively straightforward risk decisions are constantly referred up the chain, or not made.

Risks are resolved informally (or ignored) at a local level without a formal reporting mechanism when it is not appropriate.

Decision-makers are unsure of what senior management's risk appetite is, or only understand it in vague terms such as "averse" or "cautious".

Organisational stovepipes result in risk decisions being made in isolation, for example, engineering and IT don't talk to each other about risk.

Risk priorities are too vague to make meaningful distinctions between them, for example almost all risks are rated 'medium' or 'amber'.

Senior management have visibility of key risk decisions made throughout the organisation.

Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential service, as set by senior management.

Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.

Risk management decisions are periodically reviewed to ensure their continued relevance and validity.

 

A2 Risk Management

Principle

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.

A2.a Risk management process

Your organisation has effective internal processes for managing risks to the security of network and information systems related to the delivery of essential services, and communicating associated activities.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

Risk assessments are not based on a clearly defined set of threat assumptions.

Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers, and are not effectively communicated in a clear and timely manner.

Risk assessments for critical systems are a "one-off" activity (or not done at all).

The security element of project or programme milestones are solely dependent on completing the risk management process.

One single approach to assessing risks is applied to every risk management problem within the organisation.

Systems are assessed in isolation, without consideration of dependencies and interactions with other systems (including interactions between IT and OT environments).

Security requirements and mitigations are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential service.

Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve. 

 

 

Your organisational process ensures that security risks to networks and information systems relevant to essential services are identified, analysed, prioritised, and managed.

Your approach to risk is focused on the possibility of disruption to your essential service, leading to a detailed understanding how such disruption might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.

Your risk assessments are based on a clearly articulated set of threat assumptions, informed by an up-to-date understanding of security threats to your essential service.

Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential service.

The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security

Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.

You conduct risk assessments when significant events potentially affect the essential service, such as replacing a system or a change in the cyber security threat

Your risk assessments are dynamic, and are updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.

The effectiveness of your risk management process is reviewed periodically and improvements made as required.

A2.b Assurance

You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.

Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.

Assurance is assumed because there have been no known problems to date.

You validate that the security measures in place to protect the networks and information systems are effective, and remain effective for the lifetime over which they are needed.

You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential services.

Your confidence in the security as it relates to your technology, people, and processes can be demonstrated to, and verified by, a third party.

Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.

The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.

A3 Asset Management 

Principle

Everything required to deliver, maintain or support networks and information systems for essential services is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).

A3.a Asset management 

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

Inventories of assets relevant to the essential service are incomplete, non-existent, or inadequately detailed.

Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and OT).

Information assets, which could include personally identifiable information or other sensitive information, are stored for long periods of time with no clear business need or retention policy.

Knowledge critical to the management, operation, or recovery of essential services is held by one or two key individuals with no succession plan.

Asset inventories are neglected and out of date.

All assets relevant to the secure operation of essential services are identified and inventoried (at a suitable level of detail).  The inventory is kept up-to-date.

Dependencies on supporting infrastructure (eg. power, cooling etc) are recognised and recorded.

You have prioritised your assets according to their importance to the delivery of the essential service.

You have assigned responsibility for managing the physical assets.

Assets relevant to essential services are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.

A4 Supply Chain  

Principle

The organisation understands and manages security risks to networks and information systems supporting the delivery of essential services that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. Regardless of your outsourcing model the OES remains responsible for the security of the service and  therefore all requirements from NIS flow down.

A4.a Supply chain

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All of the following statements are true

All the following statements are true

You do not know what data belonging to you is held by suppliers, or how it is managed.

Elements of the supply chain for essential services are subcontracted and you have little or no visibility of the sub-contractors.

Relevant contracts do not have security requirements.

Suppliers have unrestricted or unmonitored access to critical systems, or access that bypasses your own security controls.

You understand the general risks suppliers may pose to your essential services.

You know the extent of your supply chain for essential services, including sub-contractors.

You engage with suppliers about security, and you set and communicate security requirements in contracts.

You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements.

Your approach to security incident management considers incidents that might arise in your supply chain.

You have a deeper understanding of your supply chain, including sub-contractors and the wider risks it faces. You take into account factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.

Your approach to supply chain risk management includes the risks to your essential services arising from supply chain subversion by capable and well-resourced attackers, if this is part of your threat model.   

You have confidence that information shared with suppliers that might be essential to the service is well protected.

You can clearly express the security needs you place on suppliers in ways that are mutually understood, and are laid in contracts. There is a clear and documented shared-responsibility model.  

All network connectivity and data object exchange is appropriately managed.

Where appropriate, you offer support to suppliers to resolve incidents.

< previous                         next >

Topics

Was this guidance helpful?

We need your feedback to improve this content.

Yes No