Remember how, just a few years ago, many organizations were striving to be cyber secure? Over the last years, it seemed that crowing about one’s cybersecurity posture became the very thing that mocked every organization that was the victim of a newsworthy compromise. Many organizations began augmenting their previously acclaimed security posture towards one of cyber resilience.
In 2019, the National Cyber Security Center (NCSC) released guidance that could assist organizations to achieve the flexibility to respond effectively to security incidents. The Cyber Assessment Framework (CAF) is offered as a free tool to help any company achieve resilience in the face of a cyber emergency.
The Death of “Check-the-Box” Security
The CAF functions in the same way that NIST guidelines function. The document offers 14 “principles.” The entire approach to this NCSC guidance is a broad shift from how many security frameworks are followed. Specifically, “The 14 principles are written in terms of outcomes, i.e., specification of what needs to be achieved rather than a checklist of what needs to be done.”
The guidance defines a new acronym, IGP, which represents “Indicators of Good Practice.” Most security professionals are keenly aware of Indicators of Compromise (IOC), so they may find this new acronym somewhat humorous.
The 14 principles are set under 4 broader objectives:
- Objective A: Managing security risk through four principles.
- Objective B: Protecting against cyber attack through six principles.
- Objective C: Detecting cyber security events through two principles.
- Objective D: Minimizing the impact of cyber security incidents through two principles.
Objectives A and B contain the most subheadings, but that does not mean that the sparser requirements of Objectives C and D are any easier to achieve.
Objective A includes governance, risk management, asset management, and supply chain security. In most companies, stewarding these vast goals comprises full-time roles within many organizations. In the largest organizations, there are entire departments dedicated to each of these principles.
Objective B includes more of the granular responsibilities of a corporate security operation including identity and access control, data security, system security, and security awareness training. This objective also contains service protection policies and processes as well as a principle of resilient networks and systems.
Service protection and policies would probably strike most practitioners as more appropriately placed under Objective A, as many policies often flow from the governance rather than a security discipline. However, it is perfectly reasonable that security-specific policies could originate from the security department, so the NCSC logic appears to make sense.
At first glance, the principle of resilient networks and systems seems to suffer from circular reasoning since the overall purpose of the CAF is to help an organization achieve resilience. However, the NCSC explains in the preface to the CAF that: "Objectives C, and D, are centered around monitoring and response."
Thoroughly Comprehensive, with a Touch of Direction
The CAF seems to mimic many other frameworks, and some of the principles have already been codified into various regulations, as well. What makes the online version particularly useful is that each objective and principle include links to external, industry-accepted resources that either explain or offer further guidance. This is a rabbit hole of information of the best type.
Not Intended for Internal Use Only
One of the most important points made in the introduction to the CAF is that:
It is intended to be used either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator or a suitably qualified organisation acting on behalf of a regulator.
Nothing could be a fairer warning that this tool will be wielded by others to evaluate an organization. It is easy to surmise that an auditor may use the CAF to examine a company’s resiliency, but it is equally possible that a “suitably qualified organization” could be an insurance company evaluating an organization’s worthiness to possess cyber insurance.
How Tripwire Can Help
Whether your organization is just beginning its transition from readiness to resilience or if you are fully underway in this next approach to cybersecurity, there are many aspects of the CAF that should not be “home grown.” Tripwire’s full platform of products can help an organization succeed in becoming both ready and resilient. Schedule a demo of Tripwire Enterprise or any of our other products to see how we can add value to your cybersecurity program.