CAF – Objective B

Service protection policies and processes are not applied universally or consistently.

People often or routinely circumvent service protection policies and processes to achieve business objectives.

Your organisation’s security governance and risk management approach has no bearing on your service protection policies and processes.

System security depends upon users’ careful and consistent application of manual security processes.

Service protection policies and processes have not been reviewed in response to major changes (e.g. technology or regulatory framework), or within a suitable period.

Service protection policies and processes are not readily available to staff, too detailed to remember, or too hard to understand.

You review and update service protection policies and processes in response to major cyber security incidents.

Your organisation’s service protection policies and processes are developed to be practical, usable and appropriate for your essential service and your technologies.

Where your service protection policies and processes place requirements on people, e.g. changes in behaviour or activity, this is practical and they can do what is expected.

You review and improve policies and processes at suitably regular intervals to ensure they remain relevant to threats, the way people and systems work, adapt to lessons learned and remain appropriate and effective. This is in addition to reviews following a major cyber security incident.

Your systems are designed with ‘guard rails’, so that they remain secure even when user security policies and processes are not always followed.

You do not have an understanding of the impact of your service protection policies and processes on your security.

Some or all staff are unaware of their responsibilities under your service protection policies and processes.

You do not detect breaches of service protection policies and processes.

Your service protection policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals’ trustworthiness.

All staff are aware of their responsibilities under your service protection policies and processes.

All significant breaches of service protection policies and processes are investigated; less significant breaches are tracked and assessed for trends or aggregation as a larger breach.

Your service protection policies and processes are integrated with other organisational policies and processes, including HR assessments of individuals’ trustworthiness.

Your service protection policies and processes are effectively and appropriately communicated across all levels of the organisation. All staff are aware of their responsibilities under your service protection policies and processes.

Suitable action is taken to correct significant single or aggregated breaches of service protection policies and processes.

Unknown or unauthorised users or devices can connect to your networks or information systems.

User access is not limited to the minimum necessary.

User access to essential service networks and information systems is limited to the minimum necessary.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for access to sensitive systems such as operational technology.

You individually authenticate and authorise all remote access to all your networks and information systems that support your essential service.

The list of users with access to essential service networks and systems is reviewed on a regular basis, e.g. annually.

User access to all your networks and information systems supporting the essential service is limited to the minimum necessary.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, for all systems that operate or support your essential service.

You use additional authentication mechanisms, such as two-factor or hardware-backed certificates, when you individually authenticate and authorise all remote access to all your networks and information systems that support your essential service.

The list of individuals with access to all your networks and systems supporting the essential service is reviewed on a regular basis, e.g. annually.

The list of users with access to essential service networks and systems is reviewed on a regular basis, e.g. every 6 months.

Administrators are able to perform administrative functions from non-corporately managed devices (such as remote access from personal devices).

You have not gained assurance in the security of any third-party devices or networks connected to your systems.

Physically connecting to your network gives a device access to systems without further authentication.

All administrative access occurs from dedicated management devices.

You have sought to understand the security properties of third-party devices and networks before they are allowed to be connected to your systems. You have taken appropriate steps to mitigate any risks identified.

The act of connecting to a network port or cable does not grant access to any systems.

You are able to detect unknown devices being connected to your network, and investigate such incidents.

You have obtained independent or professional assurance of the security of third-party networks, or you only allow third-party devices / networks dedicated to supporting your systems to connect.

You perform device identity management which is cryptographically backed, and only allow known devices to access systems.

You perform regular scans to detect unknown devices and investigate any findings.

It is not known whether all privileged users are strongly authenticated when accessing the system.

Privileged access is granted from remote sessions without additional validation.

The list of system administrators has not been reviewed recently, e.g. within the last 12 months.

Privileged user access is granted on a system-wide basis (as opposed to by specific roles).

System administrators use generic (shared or default name) accounts to administer servers and devices.

Where there are “always on” terminals which can perform privileged actions (such as in a control room), there are no additional controls (e.g. physical controls) to ensure access is appropriately restricted.

User roles are not suitably logically segregated, e.g. users have a single user identifier for routine business activities and privileged or segregated roles.

You know the names of all individuals in your organisation and your supply chain with privileged access to your networks and information systems (infrastructure, platforms, software, configuration, etc.)

Activity by privileged users is periodically validated, e.g. annually.

Privileged users are only granted specific privileged permissions and roles which are essential to their business function.

Where you don’t already issue temporary, time-bound rights for privileged access and external third-party support access, you are migrating to access control that supports this functionality.

You regularly review privileged access rights and always update privileges as part of your joiners, movers and leavers process.

All privileged access to your networks and information systems requires strong authentication, such as two-factor/ hardware authentication, or additional real-time security monitoring.

Privileged access is only granted on devices owned and managed by your organisation.

Activity by privileged users is routinely validated.

The list of system administrators is regularly reviewed, e.g. every 6 months.

You record and store all privileged user sessions for offline analysis and investigation.

User rights are granted without validation of their identity and requirement for access.

User rights are not reviewed when they move jobs.

User rights remain active when people leave your organisation.

You regularly review access rights and those no longer needed are revoked. 

Your joiners, leavers and movers process ensures that user permissions are reviewed both when people change roles and at regular intervals.

All access is logged and monitored.

Your joiners, leavers and movers process ensures that, in addition to when people change roles, user permissions are reviewed regularly.

All access is logged and monitored.

You regularly review access logs and correlate this data with other access records and expected activity.

Attempts by unauthorised users to connect to your systems are alerted, promptly assessed and investigated where relevant.

You cannot identify who has access to data important to the delivery of the essential service.

You are not able to clearly articulate the impact of data compromise or inaccessibility.

You periodically review location, transmission, quantity and quality of data important to the delivery of the essential service.

You have identified all mobile devices and media that hold data important to the delivery of the essential service.

You understand the impact on your essential service of all relevant scenarios, including unauthorised access, modification or deletion, or when authorised users are unable to appropriately access this data.

You validate these impact statements regularly, e.g. every 12 or 24 months.

You maintain a current understanding of the location, quantity and quality of data important to the delivery of the essential service.

You take steps to remove or minimise unnecessary copies or unneeded historic data.

You have identified all mobile devices and media that may hold data important to the delivery of the essential service.

You maintain a current understanding of the data links used to transmit data that is important to your essential service.

You understand the context, limitations and dependencies of your important data.

You understand the impact on your essential service of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.

You validate these impact statements regularly, e.g. annually.

Data important to the delivery of the essential service travels without technical protection over untrusted or openly accessible carriers.

Critical data paths that could fail, be jammed, be overloaded, etc. have no alternative path.

You apply appropriate technical means (e.g. cryptography) to protect data that travels over an untrusted carrier, but you have limited or no confidence in the robustness of the protection applied.

You apply appropriate physical or technical means to protect data that travels over an untrusted carrier, with justified confidence in the robustness of the protection applied.

Suitable alternative transmission paths are available where there is a risk of impact on the delivery of the essential service due to resource limitation (e.g. transmission equipment or service failure, or important data being blocked or jammed).

You have not protected vulnerable stored data important to the delivery of the essential service in a suitable way.

Backups are incomplete, untested, not adequately secured or could be inaccessible in a disaster recovery or business continuity situation.

You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.

If cryptographic protections are used, you apply suitable techical and procedural means, but you have limited or no confidence in the robustness of the protection applied.

You have suitable, secured backups of data to allow the essential service to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.

You have applied suitable physical or technical means to protect this important stored data from unauthorised access, modification or deletion.

If cryptographic protections are used you apply suitable techical and procedural means, and you have justified confidence in the robustness of the protection applied.

You have suitable, secured backups of data to allow the essential service to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.

Necessary historic or archive data is suitably secured in storage.

You allow data important to the delivery of the essential service to be stored on devices not managed by your organisation, or to at least equivalent standard.

Data on mobile devices is not technically secured, or only some is secured.

Data important to the delivery of the essential service is only stored on mobile devices with at least equivalent security standard to your organisation.

Data on mobile devices is technically secured.

Your organisation can remotely wipe all mobile devices holding data important to the delivery of essential service.

You have minimised this data on these mobile devices.  Some data may be automatically deleted off mobile devices after a certain period.

Providers of any cloud services you use are not able to explain how storage is sanitised when it is released.

All data important to the delivery of the essential service is sanitised from all devices, equipment or removable media before disposal.

Your cloud service providers appropriately sanitise data storage areas before reallocating to another user.

Internet access is available from operational systems.

Data flows between the essential service’s operational systems and other systems are complex, making it hard to discriminate between legitimate and illegitimate/malicious traffic.

Remote or third party accesses circumvent some network controls to gain more direct access to operational systems of the essential service.

You design strong boundary defences where your networks and information systems interface with other organisations or the world at large.

You design simple data flows between your networks and information systems and any external interface to enable effective monitoring.

You design to make network and information system recovery simple.

All inputs to operational systems are checked and validated at the network boundary where possible, or additional monitoring is in place for content-based attacks.

Your networks and information systems are segregated into appropriate security zones, e.g. operational systems for the essential service are segregated in a highly trusted, more secure zone.

The networks and information systems supporting your essential service are designed to have simple data flows between components to support effective security monitoring.

The networks and information systems supporting your essential service are designed to be easy to recover.

All inputs to operational systems are transformed and inspected at the border where possible. Where this is not currently possible, content-based attacks are mitigated by other means.

Your network and information systems have inconsistent security in operating system builds or configurations.

Configuration details are not recorded or lack enough information to be able to rebuild the system or device.

You don’t record changes or adjustments to security configuration at security boundaries with the networks and information systems supporting your essential service.

Secure platform and device builds are used across the estate.

Consistent, secure and minimal system and device configurations are applied across the same types of environment.

Changes and adjustments to security configuration at security boundaries with the networks and information systems supporting your essential service are approved and documented.

You verify software before installation is permitted.

All platforms conform to your secure, consistent baseline build, or latest known good configuration version for that environment.

You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.

You regularly review and validate that your network and information systems have the expected, secured settings and configuration.

Only permitted software can be installed and standard users cannot change settings that would impact security or business operation.

If automated decision-making technologies are in use, their operation is well understood and decisions can be replicated.

You do not have good or current technical documentation of your networks and information systems.

Technical knowledge about networks and information systems, such as documentation and network diagrams, is regularly reviewed and updated.

You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.

You regularly review and update technical knowledge about networks and information systems, such as documentation and network diagrams, and ensure they are securely stored.

You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.

You do not mitigate externally-exposed vulnerabilities promptly.

There are no means to check data or software imports for malware.

You have not recently tested to verify your understanding of the vulnerabilities of the networks and information systems that support your essential service.

You have not suitably mitigated systems or software that is no longer supported. These systems may still be running, but not in operational use.

You are not pursuing replacement for unsupported systems or software.

Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential service are tracked, prioritised and externally-exposed vulnerabilities are mitigated (eg by patching) promptly.

Some vulnerabilities that are not externally exposed have temporary mitigations for an extended period.

You have temporary mitigations for unsupported systems and software while pursuing migration to supported technology.

You regularly test to fully understand the vulnerabilities of the networks and information systems that support your essential service.

Announced vulnerabilities for all software packages, network equipment and operating systems used to support your essential service are tracked, prioritised and mitigated (eg by patching) promptly.

You regularly test to fully understand the vulnerabilities of the networks and information systems that support your essential service and verify this understanding with third-party testing.

You maximise the use of supported software, firmware and hardware in your networks and information systems supporting your essential service.

You have not completed business continuity and/or disaster recovery plans for your essential service’s networks, information systems and their dependencies.

You have not fully assessed the practical implementation of these plans.

You know the order in which systems need to be restored to most quickly and effectively restore the essential service.

You use your security awareness, e.g. threat intelligence sources, to make temporary security changes in response to new threats, e.g. a widespread outbreak of very damaging malware.

Internet services, such as browsing and email, are accessible from essential service operational systems.

You do not understand or lack plans to mitigate all resource limitations that could adversely affect your essential service.

Resource limitations (e.g. network bandwidth, single network paths) have been identified but not fully mitigated.

You have identified and mitigated all resource limitations, i.e. bandwidth limitations.

You have identified and mitigated any geographical constraints or weaknesses. For example, systems that your essential service depends upon are duplicated to another location, important network connectivity has alternative physical paths and service providers.

You review and update dependencies, resource and geographical limitation assessments and update mitigations when required.

Backups are not frequent enough for your essential service to be restored within a suitable timeframe.

You routinely test backups to ensure that the backup process functions correctly and the backups are usable.

Key roles are duplicated and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential service.

Suitable backups of all important data and information needed to recover the essential service are made, tested, documented and routinely reviewed.

People in your organisation don’t know how to raise a concern about cyber security.

People believe that reporting issues may get them into trouble.

Your organisation’s approach to cyber security doesn’t reflect the way staff work to deliver the essential service. It is perceived by staff as being incompatible with the ability of the organisation to deliver the essential service.

All people in your organisation understand the contribution they make to the essential service’s cyber security.

All individuals in your organisation know who to contact and where to access more information about cyber security. They know how to raise a cyber security issue.

People in your organisation are positively recognised for bringing cyber security incidents and issues to light, not reprimanded or ignored.

Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.

Your management is seen to be committed to and actively involved in cyber security.

Your organisation communicates openly about cyber security, with any concern being taken seriously.

People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.

Cyber security training is only offered to specific roles in your organisation.

Records of role-specific cyber security training do not exist, or are incomplete.

There are incomplete or no records of cyber security training for your organisation.

You use a range of teaching and communication techniques for cyber security training and awareness to reach the widest audience effectively.

Cyber security information is easily available.

You track individuals’ cyber security training and ensure that refresh update training is completed at suitable intervals.

You routinely engage all people across your organisation on cyber security and evaluate that your cyber security training and awareness activities reach the widest audience effectively.

Cyber security information and good practice guidance is easily and widely available. You know this is referenced and employed by people in your organisation.