Fortifying Your Digital Defences: A Deep Dive into CAF Objective B

Fortifying Your Digital Defences: A Deep Dive into CAF Objective B

This blog piece is the fourth part of our five-part series discussing the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF).
Part 1: NCSC’s Cyber Assessment Framework
Part 2: Services, Tools, and Resources to Help Your Organisation Understand and Achieve Compliance to the NCSC’s Cyber Assessment Framework: Objective C
Part 3: CAF Objective A: The Strong Foundation of Security Risk Management

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes increasingly critical. As we continue to explore the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), we’ll take a dive into Objective B: Protecting Against Cyber Attack, which focuses on developing proportionate measures against cyber-attacks to defend networks and information systems.

Objective B contains 6 principles:

  • B1: Service Protection Policies and Processes
  • B2: Identity and Access Control
  • B3: Data Security
  • B4: System Security
  • B5: Resilient Networks and Systems
  • B6: Staff Awareness and Training

We’ll dissect these principles and aim to give you practical insights for their implementation.

Principle B1: Service Protection Policies and Processes

Service Protection Policies and Processes lay the groundwork for a resilient defence strategy. It’s important to understand how your people work within the systems and ensure that policies do not exceed human limits of compliance, as this will inevitably lead to workarounds and circumvention. Therefore, policies and procedures should be implemented and communicated clearly to their target community and be flexible enough to be able to be updated and changed as operational and/or strategic need requires. And with a people-focused approach, the human effort needed to comply with them should be minimal. Part of this process involves creating:

  • High-level, organisational security policies.
  • Lower-level policies with contextual definitions that support the high-level policies
  • Compliance policies and processes to assure adherence to regulations and/or industry-specific standards.

Principle B2: Identity and Access Control

Identity and Access Control form the second principle, emphasizing the importance of managing user identities and controlling access to sensitive information. Robust identity management, including the use of Multi-Factor Authentication (MFA), helps prevent unauthorised access. Regularly reviewing and updating access controls based on job roles and responsibilities ensures that individuals have the necessary access privileges, reducing the risk of insider threats. Whilst in IT environments there are many technical solutions to identity and access control, such as MFA and passwords, this is not always possible in an OT environment where Human-Machine Interfaces (HMIs) need to be easily accessible in the event of an emergency. In these instances, physical access controls and logging/monitoring controls may be better suited.

Principle B3: Data Security

Data Security is paramount in today’s digital age. Networks and systems should be designed to protect data, managing the confidentiality and integrity of the information while maintaining the availability to authorised entities. Encryption, both in transit and at rest, adds an extra layer of defence. But on top of that understanding where data is stored and implementing measures to reduce unauthorised access, tampering and deletion of said data is critical.

Principle B4: System Security

System Security focuses on securing the underlying infrastructure. The foundation of this principle is having a solid system design where security practices (such as segregation) are supported by strong architecture practices. Well configured networks reduce unauthorised access and should include established baselines supported by policies that prevent unauthorised changes or installation of software. Even noting what systems, software and devices cannot be updated so compensating security measures can be identified. This needs to be supported by system management practices that manage privileged users, physical interference with tamper protection and patch management. System security should also take steps to manage and mitigate any vulnerabilities discovered in the system as part of any vulnerability management effort.

Principle B5: Resilient Networks and Systems

Building on the previous principles, Resilient Networks and Systems emphasise the need for organisations to ensure essential functions are resilient to attack. This involves redundancy, segmentation, maintenance & repair, capacity, physical resilience, etc. However, the most integral part of this part of this principle is preparation; the ability to respond quickly and effectively. This should include definitions of critical resources, an understanding of the order of actions together with the processes to test and update these response plans. By taking the right steps, organisations ensure that even if an attack occurs, they can maintain essential services and quickly recover normal operations.

Principle B6: Staff Awareness and Training

The human element is often seen as the weakest link in cybersecurity. Staff Awareness and Training address this vulnerability by educating employees on security best practices and the latest cyber threats.  It is the responsibility of the organisation to ensure that their employees have the information, knowledge and skills to support their security processes and policies. Regular training sessions should provide all with the skills they need to carry out their job while supporting the organisation’s security initiatives. Organisations should work to promote a positive security-conscious culture contributing to a workforce that is vigilant and well-prepared to identify and respond to potential cyber threats. This is supported by having effective communication processes that enable the organisation to engage with staff and educate them on security processes, roles and responsibilities and how it relates to their job. But it’s important to note that similarly to B1, staff awareness and training needs to take a people-focussed approach and ensure minimal human effort to comply; in other words, not burning out your staff with endless training courses and “gotcha” moments through phishing exercises. This principle may be harder to achieve immediately as it can take some time to implement a positive security culture, but it is important to demonstrate that steps are being taken to implement an appropriate security culture.


Objective B of the CAF provides a structured approach to help fortify your organisation against cyber-attacks. By refining identity and access controls and managing data security with robust system security, built on the back of resilient networks and systems and supported by people-focused policies and procedures that are communicated to well-educated, well-trained staff, organisations can create a robust cybersecurity posture.  A proactive approach not only helps defend against cyber threats but also ensures a resilient and adaptive security framework in an ever-evolving digital landscape. However you decide to approach this, Arcanum can take a vendor-agnostic approach to guide you through the process on your journey to improve your cybersecurity posture.

How Can Arcanum Help?

At Arcanum, our cyber security teams are experienced in implementing and assessing all aspects of security within both IT and OT environments and can offer your organisation independent, vendor-agnostic advice that is tailored to your specific business needs while providing the highest level of risk reduction possible in your situation, without impacting normal business functions.

call: 02922 784452