This blog piece is the third part of our five-part series discussing the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF).
Part 1: NCSC’s Cyber Assessment Framework
Part 2: Services, Tools, and Resources to Help Your Organisation Understand and Achieve Compliance to the NCSC’s Cyber Assessment Framework: Objective C
Delving into the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF), we focus our attention today on Objective A: Managing security risk. This objective is about ensuring that “appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions” (NCSC, 2023).
Achieving Objective A is vital to organisations with not just IT but OT environments as well, as it significantly underpins the success of all subsequent objectives. It is useful to think of this interconnectedness as the ‘golden thread’ that runs throughout the CAF, with it firmly rooted in Objective A. The ‘golden thread’ concept highlights the importance of a holistic and systems thinking approach to cyber security, remembering that a system is never a sum of its parts but a product of its interactions.
In the following sections, we explore the four principles of Objective A in greater detail, looking into their Contributing Outcomes and Indicators of Good Practice (IGPs). Furthermore, we will explore on how some of these principles connect with those of other objectives through the ‘golden thread’ concept.
Principle A1: Governance
Comprehensive governance is crucial to managing security risks; it is what controls and directs an organisation’s cyber security strategy, coordinates its activities and ensures regulatory compliance. Governance also shapes the organisational culture and makes employees aware of their roles and responsibilities in security. Consequently, the CAF emphasises the need for appropriate management policies and processes to govern network and information security.
Principle A1 consists of three Contributing Outcomes:
- a Board Direction
The CAF recognises that an organisation’s board have ultimate responsibility and accountability for cyber risk management. It requires that a board-level individual is appointed to oversee network and information system security, driving regular security-themed discussions in board meetings and producing strategies that cascade throughout the organisation in policies and practices.
- b Roles and Responsibilities
The CAF stipulates that roles and responsibilities of networks and information systems security must be identified and documented at all organisational levels. Staff in these roles should have the necessary knowledge, resources and authority. Regular reviews of these roles and responsibilities are crucial to maintaining their effectiveness over time. Staff across the organisation must be kept aware of who is accountable for every element of the organisation’s cyber risk management.
- c Decision-Making
This CAF highlights the importance of delegating risk management decision-making across the organisation, to people with the necessary skills, knowledge, tools and authority. The CAF also highlights the need for senior management to remain informed about key decisions being made and to periodically review the appropriateness of delegated decision-making. The decision-making process needs to be clearly defined in an organisation’s policies and procedures.
Recalling the ‘golden thread’ concept introduced earlier in this blog, it becomes clear that robust governance is fundamental to many other CAF principles. Take for instance, B6 Staff Awareness and Training, which looks at providing staff appropriate awareness and training to perform their roles and responsibilities effectively. If these roles and responsibilities are not adequately identified and understood, then the fundamental purpose of principle B6 risks being undermined. This theme of reliance on robust governance extends to other principles, where various aspects of governance (such as policies and procedures, decision-making, board involvement, etc.) are included in them.
Principle A2: Risk Management
Risk Management requires organisations to effectively identify, assess, prioritise and mitigate risks to network and information systems security, adapting proactively to emerging threats and vulnerabilities and to innovation opportunities.
Principle A2 consists of two Contributing Outcomes:
- a Risk Management Process
The risk management process involves, identifying, assessing and prioritising risks based on their likelihood and potential impact, encompassing threats and vulnerabilities in people, processes and technology. Organisations must base their assessments on a current understanding of security threats to their essential functions and broader sector, maintaining a dynamic and proactive approach by regularly updating risk assessments in response to changes such as technical modifications and emerging threats. The outcome of the risk management process is a well-defined set of security requirements that align with the organisation’s security approach. Effective communication of key findings to decision-makers and periodic reviews of the risk management process’s effectiveness are also critical.
- b Assurance
Assurance measures the level of confidence in the effectiveness of an organisation’s security. Assurance aims to verify that security measures are effective over their lifecycle, with the CAF requiring organisations to justify their confidence levels and seek independent third-party verification. Inevitably, assurance activities may uncover security gaps. These should be promptly assessed, prioritised and addressed. Regular reviews of the effectiveness and suitability of assurance methods are also crucial.
Principle A3: Asset Management
Asset management is described in the CAF as “Everything required to deliver, maintain, or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people, and systems [both hardware and software], as well as any supporting infrastructure (such as power or cooling)” (NCSC, 2023). A comprehensive asset management capability is fundamental; without it, organisations cannot fully comprehend what needs defending. For this reason, it is foundational to principles of other objectives.
The CAF requires that organisations maintain a current inventory of all critical assets and their dependencies, prioritising them by their significance to the functions they support. Responsibility needs to be assigned to the management of physical assets while assets related to essential functions must be managed with cyber security in mind at every stage of their lifecycle, from creation to decommissioning and disposal.
Principle A4: Supply Chain
Most organisations rely on complex supply chains, which, while beneficial, also introduce risks. The topic of supply chain cyber security has gained significant attention in recent years, notably after the SolarWinds attack in 2020 that compromised thousands of Public and Private Sector organisations worldwide.
When identifying and understanding a supply chain, the CAF requires organisations to consider numerous factors including partnerships, competitors, nationality and other organisations which they sub-contract. This understanding should inform an organisation’s procurement and risk management processes, incorporating specific security obligations in contracts and defining responsibilities between customers and suppliers. Organisations should also control data flow with third parties and ensure collaborative incident resolution with suppliers.
In this blog piece, we have thoroughly examined CAF Objective A: Managing Security Risk, covering its four principles: A1 Governance, A2 Risk Management, A3 Asset Management, and A4 Supply Chain. We’ve highlighted the importance of governance in directing cyber security, the proactive nature of risk management, the criticality of maintaining a current asset inventory and the complexities in managing supply chain risks.
We have also delved into the ‘golden thread’ concept, shedding light on some of the extensive interconnectedness within the CAF and highlighting the necessity of a holistic approach to cybersecurity.
In conclusion, this comprehensive analysis offers insights into a systematic approach to security risk management, emphasising the need for an integrated strategy that covers governance, risk management, asset management, and supply chain security to both protect against evolving cyber threats and provide a crucial foundation for other security capabilities.
How Can Arcanum Help?
At Arcanum, our cyber security teams are experienced in implementing and assessing all aspects of security within both IT and OT environments and can offer your organisation independent, vendor-agnostic advice that is tailored to your specific business needs while providing the highest level of risk reduction possible in your situation, without impacting normal business functions.
call: 02922 784452