CAF Outcome B1.b: Policy and Process Implementation

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B1.b: Policy and Process Implementation to CSF mappings generated from UK Cabinet Office table.

Control ID Description
ID.GV-1 Organizational cybersecurity policy is established and communicated
PR.IP-8 Effectiveness of protection technologies is shared
RS.CO-1 Personnel know their roles and order of operations when a response is needed
PR.IP-11 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
ID.GV-3 Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
RC.CO-3 Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
ID.GV-2 Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
PR.AT-1 All users are informed and trained

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • System use notification (SR 1.12)
    ISA/IEC 62443-3-3:2013
  • Document and communicate security expectations and responsibilities (4.3.3.2.5)
    ISA/IEC 62443-2-1:2009
  • Communicate the policies and procedures to the organisation (4.3.2.6.6)
    ISA/IEC 62443-2-1:2009
  • Establish complimentary physical and cyber security policies (4.3.3.3.1)
    ISA/IEC 62443-2-1:2009
  • Identify and implement corrective and preventive actions (4.4.3.4)
    ISA/IEC 62443-2-1:2009
  • Require employees to follow security procedures (4.3.3.3.5)
    ISA/IEC 62443-2-1:2009
  • Define cyber security policies and procedure compliance requirements (4.3.2.6.4)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Working in secure areas (11.1.5)
    ISO 27001:2013
  • Teleworking (6.2.2)
    ISO 27001:2013
  • Clear desk and clear screen policy (11.2.9)
    ISO 27001:2013
  • Access control policy (9.1.1)
    ISO 27001:2013
  • Secure system engineering principles (14.2.5)
    ISO 27001:2013
  • Information access restriction (9.4.1)
    ISO 27001:2013
  • Handling of assets (8.2.3)
    ISO 27001:2013
  • Management of secret authentication information of users (9.2.4)
    ISO 27001:2013
  • Acceptable use of assets (8.1.3)
    ISO 27001:2013
  • Key management (10.1.2)
    ISO 27001:2013
  • Information transfer policies and procedures (13.2.1)
    ISO 27001:2013
  • User access provisioning (9.2.2)
    ISO 27001:2013
  • Collection of evidence (16.1.7)
    ISO 27001:2013
  • Labelling of information (8.2.2)
    ISO 27001:2013
  • Documented operating procedures (12.1.1)
    ISO 27001:2013
  • Mobile Device Policy (6.2.1)
    ISO 27001:2013
  • Management responsibilities (7.2.1)
    ISO 27001:2013
  • Secure log-on procedures (9.4.2)
    ISO 27001:2013
  • Use of secret authentication information (9.3.1)
    ISO 27001:2013
  • Secure development policy (14.2.1)
    ISO 27001:2013
  • Disciplinary process (7.2.3)
    ISO 27001:2013
  • Management of removable media (8.3.1)
    ISO 27001:2013
  • Compliance with security policies and standards (18.2.2)
    ISO 27001:2013
  • Policy on the use of cryptographic controls (10.1.1)
    ISO 27001:2013
  • User registration and de-registration (9.2.1)
    ISO 27001:2013
  • Policies for information Security (5.1.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
SI-4: System Monitoring
CA-7: Continuous Monitoring
AC-21: Information Sharing
CP-2: Contingency Plan
IR-3: Incident Response Testing
IR-8: Incident Response Plan
CP-3: Contingency Training
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer
IR-4: Incident Handling
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
PM-13: Security and Privacy Workforce
AT-2: Literacy Training and Awareness

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1201 Password Policy Discovery Discovery
T1003.006 DCSync Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access
T1187 Forced Authentication Credential Access
T1555.003 Credentials from Web Browsers Credential Access
T1110.004 Credential Stuffing Credential Access
T1601 Modify System Image Defense Evasion
T1601.001 Patch System Image Defense Evasion
T1110.002 Password Cracking Credential Access
T1003.005 Cached Domain Credentials Credential Access
T1558.002 Silver Ticket Credential Access
T1558.003 Kerberoasting Credential Access
T1003 OS Credential Dumping Credential Access
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1555.005 Password Managers Credential Access
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1003.004 LSA Secrets Credential Access
T1003.001 LSASS Memory Credential Access
T1599 Network Boundary Bridging Defense Evasion
T1003.003 NTDS Credential Access
T1552 Unsecured Credentials Credential Access
T1599.001 Network Address Translation Traversal Defense Evasion
T1552.004 Private Keys Credential Access
T1003.007 Proc Filesystem Credential Access
T1003.002 Security Account Manager Credential Access
T1110.003 Password Spraying Credential Access
T1110.001 Password Guessing Credential Access
T1072 Software Deployment Tools Execution, Lateral Movement
T1556.005 Reversible Encryption Credential Access, Defense Evasion, Persistence
T1563.001 SSH Hijacking Lateral Movement
T1550.003 Pass the Ticket Defense Evasion, Lateral Movement
T1552.002 Credentials in Registry Credential Access
T1555 Credentials from Password Stores Credential Access
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001 Credentials In Files Credential Access
T1110 Brute Force Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1601.002 Downgrade System Image Defense Evasion
T1555.001 Keychain Credential Access
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1537 Transfer Data to Cloud Account Exfiltration
T1558.004 AS-REP Roasting Credential Access