Effective Preparation and Appropriate Response to Cyber Security Incidents: An Analysis of CAF Objective D

Effective Preparation and Appropriate Response to Cyber Security Incidents: An Analysis of CAF Objective D

This blog piece is the fifth part of our five-part series discussing the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF).
Part 1: NCSC’s Cyber Assessment Framework
Part 2: Services, Tools, and Resources to Help Your Organisation Understand and Achieve Compliance to the NCSC’s Cyber Assessment Framework: Objective C
Part 3: CAF Objective A: The Strong Foundation of Security Risk Management
Part 4: Fortifying Your Digital Defences: A Deep Dive into CAF Objective B – Arcanum Cyber (arcanum-cyber.com)

When going through your cyber security journey, it is important to note that you cannot completely remove security risk from the equation.  As such there will always be a need to prepare for an incident with the most serious of impacts and decide how best to rebuild and recover should the worst happen.  Building upon the preceding CAF Principles, Objective D: Minimise the Impact of Cyber Security Incidents aims for organisations to have in place mechanisms that allow them to minimise as well as recover from the adverse impacts of a cyber security incident, particularly if they impact an essential business function.  It is also important to note early on that, as per other Objectives, consideration should be given to serious impacts in both the IT (Information Technology) and OT (Operational Technology) environment(s). As seen with recent cyber-attacks, incidents that occur in one domain often have the potential to pivot into other domains (for example IT into OT), or at least cause negative 2nd and 3rd order effects that can disrupt key business operations.

Objective B is split into 2 principles:

  • D1: Response and Recovery Planning
  • D2: Lessons Learned

These principles are covered in greater detail below.

Principle D1: Response and Recovery Planning

Security incidents will inevitably happen to every organisation and when they do there should be effective strategies in place to deal with them and, as far as practicable, security mechanisms in place that lessen their impact, especially on essential business functions.  Examples of these focused protective mechanisms might include things such as DDoS (distributed denial of service) protection, protected power supply, critical system redundancy, rate-limiting access to data or service commands, critical data and system backup or manual fail-over processes.  The decision on which mechanisms to include should be as a part of an organisation’s overall risk management strategy.

Incident response planning is a key part of being prepared for the impact of security incidents when they occur. Organisations should ensure that incident response planning is firmly grounded in comprehensive risk assessments covering both their IT and OT environments as necessary to the business.  In addition, the response to all potential incidents relevant to the organisations business functions should be covered in an auditable and testable manner across a range of realistic scenarios. Not only should the organisation’s incident response plan be recorded and kept up to date, but businesses should also ensure they have the capability to enact the plan in a timely and efficient manner when needed. Testing and exercising are great ways to practice this process in a safe environment and to confirm the validity of any system and data back-up strategy and response resource RACI.

In addition, some cyber-related regulations, such as the DPA 2018 and the NIS Directive, have mandatory reporting requirements around cyber security incidents that have the potential to affect essential systems assets and functions.  Incident escalations and reporting requirements should be clearly understood and incorporated into any incident response planning that the organisation conducts.

Principle D2: Lessons Learned

When a security incident does occur, it is important that your organisation learns from the experience of detecting and dealing with it and, where practicable, takes the necessary steps to minimise the impacts of a similar issue in future.

A key point here is that any actions taken based on lessons learned should be to address the root cause or to identify systemic problems within the organisation, rather than to fix a more symptomatic issue. For example: If the root cause of the incident was relating to an outdated patch, investigate the Patch Management process from a people, process, and technology perspective, not just the patch that allowed this specific incident to occur. It is important to note, root cause analysis may not always be fully achievable, particularly if logs are not collected or maintained, which is where achievement in other areas of the CAF becomes an important supportive activity.

As cyber security activities should remain a continuous cycle, Principle D2 is designed to ensure that organisations continually use experience and knowledge of cyber security incidents to drive forward improvements.


Objective D helps guide organisations to develop robust and detailed incident response and recovery plans. Being able to have a clear and concise series of actions in place that cover a breadth of potential incidents help to prevent organisations from wasting time and resources, whilst protecting them against unnecessary losses when dealing with an incident.  Objective D encourages organisations to take necessary and proportionate actions in response to incidents.  For example, forcing a widespread shutdown to resolve a ransomware attack may result in additional hours lost and additional resources required to recover those affected IT systems; however, in an OT environment a forced shutdown of certain processes could, on top of all the above, cost millions of pounds in lost/wasted production or risk people’s safety.

Additionally, if an organisation is subject to an incident and only focuses on returning to normal running, without establishing the root cause of the incident, it is potentially more likely to have further repeat incidents, each one bringing further disruption to operations. The continuous cycle of review and update to both response and recovery plans helps to make sure that all steps and strategies are appropriate, proportionate, and relevant to your organisation.

How Can Arcanum Help?

At Arcanum, our cyber security teams are experienced in implementing and assessing all aspects of security within both IT and OT environments. We can offer your organisation independent, technology vendor-agnostic advice that is tailored to your specific business needs, whilst providing guidance to achieve the highest level of security risk reduction and resilience possible in your situation, without significantly impacting business functions.

call: 02922 784452

email: contact@arcanum-cyber.com

website: https://arcanum-cyber.com/operational-technology/