|
A1.a
|
Board Direction
|
You have effective organisational security management led at board level and articulated clearly in corresponding policies.
|
|
A1.b
|
Roles and Responsibilities
|
Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
|
|
A1.c
|
Decision-making
|
You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
|
|
A2.a
|
Risk Management Process
|
Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
|
|
A2.b
|
Assurance
|
You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
|
|
A3.a
|
Asset Management
|
Everything required to deliver, maintain or support networks and information systems necessary for the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling).
|
|
A4.a
|
Supply Chain
|
The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
|
|
B1.a
|
Policy and Process Development
|
You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.
|
|
B1.b
|
Policy and Process Implementation
|
You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.
|
|
B2.a
|
Identity Verification, Authentication and Authorisation
|
You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.
|
|
B2.b
|
Device Management
|
You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.
|
|
B2.c
|
Privileged User Management
|
You closely manage privileged user access to networks and information systems supporting the essential function.
|
|
B2.d
|
Identity and Access Management (IdAM)
|
You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.
|
|
B3.a
|
Understanding Data
|
You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.
|
|
B3.b
|
Data in Transit
|
You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties.
|
|
B3.c
|
Stored Data
|
You have protected stored data important to the operation of the essential function.
|
|
B3.d
|
Mobile Data
|
You have protected data important to the operation of the essential function on mobile devices.
|
|
B3.e
|
Media Equipment Sanitisation
|
You appropriately sanitise media and equipment holding data important to the operation of the essential function.
|
|
B4.a
|
Secure by Design
|
You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
|
|
B4.b
|
Secure Configuration
|
You securely configure the network and information systems that support the operation of essential functions.
|
|
B4.c
|
Secure Management
|
You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.
|
|
B4.d
|
Vulnerability Management
|
You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.
|
|
B5.a
|
Resilience Preparation
|
You are prepared to restore the operation of your essential function following adverse impact.
|
|
B5.b
|
Design for Resilience
|
You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
|
|
B5.c
|
Backups
|
You hold accessible and secured current backups of data and information needed to recover operation of your essential function.
|
|
B6.a
|
Cyber Security Culture
|
You develop and pursue a positive cyber security culture.
|
|
B6.b
|
Cyber Security Training
|
The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.
|
|
C1.a
|
Monitoring Coverage
|
The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.
|
|
C1.b
|
Securing Logs
|
You hold logging da ta securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.
|
|
C1.c
|
Generating Alerts
|
Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.
|
|
C1.d
|
Identifying Security Incidents
|
You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
|
|
C1.e
|
Monitoring Tools and Skills
|
Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect.
|
|
C2.a
|
System Abnormalities for Attack Detection
|
You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
|
|
C2.b
|
Proactive Attack Discovery
|
You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.
|
|
D1.a
|
Response Plan
|
You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios.
|
|
D1.b
|
Response and Recovery Capability
|
You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.
|
|
D1.c
|
Testing and Exercising
|
Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment.
|
|
D2.a
|
Incident Root Cause Analysis
|
When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken.
|
|
D2.b
|
Using Incidents to Drive Improvements
|
Your organisation uses lessons learned from incidents to improve your security measures.
|