CAF – Objective A

Board-level discussions on the security of networks and information systems are based on partial or out-of-date information, without the benefit of expert guidance.

The security of networks and information systems supporting your essential services is not driven effectively by the direction set at board level.

Senior management or other pockets of the organisation consider themselves exempt from some policies, or expect special accommodations to be made.

Regular board discussions on the security of network and information systems supporting the delivery of your essential service take place, based on timely and accurate information and informed by expert guidance.

There is a board-level individual who has overall accountability for the security of networks and information systems and drives regular discussion at board-level.

Direction set at board level is translated into effective organisational practices that direct and control the security of the networks and information systems supporting your essential service.

Staff are assigned security responsibilities but without adequate authority or resources to fulfil them.

Staff are unsure what their responsibilities are for the security of the essential service.

Appropriately capable and knowledgeable  staff fill those roles and are given the time, authority, and resources to carry out their duties.

There is clarity on who in your organisation has overall accountability for the security of the networks and information systems supporting your essential service.

Risks are resolved informally (or ignored) at a local level without a formal reporting mechanism when it is not appropriate.

Decision-makers are unsure of what senior management’s risk appetite is, or only understand it in vague terms such as “averse” or “cautious”.

Organisational stovepipes result in risk decisions being made in isolation, for example, engineering and IT don’t talk to each other about risk.

Risk priorities are too vague to make meaningful distinctions between them, for example almost all risks are rated ‘medium’ or ‘amber’.

Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential service, as set by senior management.

Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools, and authority they need.

Risk management decisions are periodically reviewed to ensure their continued relevance and validity.

Risk assessment outputs are too complex or unwieldy to be consumed by decision-makers, and are not effectively communicated in a clear and timely manner.

Risk assessments for critical systems are a “one-off” activity (or not done at all).

The security element of project or programme milestones are solely dependent on completing the risk management process.

One single approach to assessing risks is applied to every risk management problem within the organisation.

Systems are assessed in isolation, without consideration of dependencies and interactions with other systems (including interactions between IT and OT environments).

Security requirements and mitigations are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential service.

Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.

Your approach to risk is focused on the possibility of disruption to your essential service, leading to a detailed understanding how such disruption might arise as a consequence of possible attacker actions and the security properties of your networks and information systems.

Your risk assessments are based on a clearly articulated set of threat assumptions, informed by an up-to-date understanding of security threats to your essential service.

Your risk assessments are informed by an understanding of the vulnerabilities in the networks and information systems supporting your essential service.

The output from your risk management process is a clear set of security requirements that will address the risks in line with your organisational approach to security

Significant conclusions reached in the course of your risk management process are communicated to key security decision-makers and accountable individuals.

You conduct risk assessments when significant events potentially affect the essential service, such as replacing a system or a change in the cyber security threat

Your risk assessments are dynamic, and are updated in the light of relevant changes which may include technical changes to networks and information systems, change of use and new threat information.

The effectiveness of your risk management process is reviewed periodically and improvements made as required.

Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.

Assurance is assumed because there have been no known problems to date.

You understand the assurance methods available to you and choose appropriate methods to gain confidence in the security of essential services.

Your confidence in the security as it relates to your technology, people, and processes can be demonstrated to, and verified by, a third party.

Security deficiencies uncovered by assurance activities are assessed, prioritised and remedied when necessary in a timely and effective way.

The methods used for assurance are reviewed to ensure they are working as intended and remain the most appropriate method to use.

Only certain domains or types of asset are documented and understood. Dependencies between assets are not understood (such as the dependencies between IT and OT).

Information assets, which could include personally identifiable information or other sensitive information, are stored for long periods of time with no clear business need or retention policy.

Knowledge critical to the management, operation, or recovery of essential services is held by one or two key individuals with no succession plan.

Asset inventories are neglected and out of date.

Dependencies on supporting infrastructure (eg. power, cooling etc) are recognised and recorded.

You have prioritised your assets according to their importance to the delivery of the essential service.

You have assigned responsibility for managing the physical assets.

Assets relevant to essential services are managed with cyber security in mind throughout their lifecycle, from creation through to eventual decommissioning or disposal.

Elements of the supply chain for essential services are subcontracted and you have little or no visibility of the sub-contractors.

Relevant contracts do not have security requirements.

Suppliers have unrestricted or unmonitored access to critical systems, or access that bypasses your own security controls.

You know the extent of your supply chain for essential services, including sub-contractors.

You engage with suppliers about security, and you set and communicate security requirements in contracts.

You are aware of all third-party connections and have assurance that they meet your organisation’s security requirements.

Your approach to security incident management considers incidents that might arise in your supply chain.

Your approach to supply chain risk management includes the risks to your essential services arising from supply chain subversion by capable and well-resourced attackers, if this is part of your threat model.

You have confidence that information shared with suppliers that might be essential to the service is well protected.

You can clearly express the security needs you place on suppliers in ways that are mutually understood, and are laid in contracts. There is a clear and documented shared-responsibility model.

All network connectivity and data object exchange is appropriately managed.

Where appropriate, you offer support to suppliers to resolve incidents.