CAF Outcome B1.b: Policy and Process Implementation

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B1.b: Policy and Process Implementation to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
ID.GV-1	Organizational cybersecurity policy is established and communicated
PR.IP-8	Effectiveness of protection technologies is shared
RS.CO-1	Personnel know their roles and order of operations when a response is needed
PR.IP-11	Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
ID.GV-3	Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
RC.CO-3	Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
ID.GV-2	Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
PR.AT-1	All users are informed and trained

Showing 1 to 8 of 8 entries

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Password Policies

Set and enforce secure password policies for accounts.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

System use notification (SR 1.12)
ISA/IEC 62443-3-3:2013
Document and communicate security expectations and responsibilities (4.3.3.2.5)
ISA/IEC 62443-2-1:2009
Communicate the policies and procedures to the organisation (4.3.2.6.6)
ISA/IEC 62443-2-1:2009
Establish complimentary physical and cyber security policies (4.3.3.3.1)
ISA/IEC 62443-2-1:2009
Identify and implement corrective and preventive actions (4.4.3.4)
ISA/IEC 62443-2-1:2009
Require employees to follow security procedures (4.3.3.3.5)
ISA/IEC 62443-2-1:2009
Define cyber security policies and procedure compliance requirements (4.3.2.6.4)
ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Working in secure areas (11.1.5)
ISO 27001:2013
Teleworking (6.2.2)
ISO 27001:2013
Clear desk and clear screen policy (11.2.9)
ISO 27001:2013
Access control policy (9.1.1)
ISO 27001:2013
Secure system engineering principles (14.2.5)
ISO 27001:2013
Information access restriction (9.4.1)
ISO 27001:2013
Handling of assets (8.2.3)
ISO 27001:2013
Management of secret authentication information of users (9.2.4)
ISO 27001:2013
Acceptable use of assets (8.1.3)
ISO 27001:2013
Key management (10.1.2)
ISO 27001:2013
Information transfer policies and procedures (13.2.1)
ISO 27001:2013
User access provisioning (9.2.2)
ISO 27001:2013
Collection of evidence (16.1.7)
ISO 27001:2013
Labelling of information (8.2.2)
ISO 27001:2013
Documented operating procedures (12.1.1)
ISO 27001:2013
Mobile Device Policy (6.2.1)
ISO 27001:2013
Management responsibilities (7.2.1)
ISO 27001:2013
Secure log-on procedures (9.4.2)
ISO 27001:2013
Use of secret authentication information (9.3.1)
ISO 27001:2013
Secure development policy (14.2.1)
ISO 27001:2013
Disciplinary process (7.2.3)
ISO 27001:2013
Management of removable media (8.3.1)
ISO 27001:2013
Compliance with security policies and standards (18.2.2)
ISO 27001:2013
Policy on the use of cryptographic controls (10.1.1)
ISO 27001:2013
User registration and de-registration (9.2.1)
ISO 27001:2013
Policies for information Security (5.1.1)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
SI-4: System Monitoring
CA-7: Continuous Monitoring
AC-21: Information Sharing
CP-2: Contingency Plan
IR-3: Incident Response Testing
IR-8: Incident Response Plan
CP-3: Contingency Training
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer
IR-4: Incident Handling
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
PM-13: Security and Privacy Workforce
AT-2: Literacy Training and Awareness

Showing 1 to 21 of 21 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

Search:

ATT&CK ID	Title	Associated Tactics
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1201	Password Policy Discovery	Discovery
T1003.006	DCSync	Credential Access
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1187	Forced Authentication	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1110.004	Credential Stuffing	Credential Access
T1601	Modify System Image	Defense Evasion
T1601.001	Patch System Image	Defense Evasion
T1110.002	Password Cracking	Credential Access
T1003.005	Cached Domain Credentials	Credential Access
T1558.002	Silver Ticket	Credential Access
T1558.003	Kerberoasting	Credential Access
T1003	OS Credential Dumping	Credential Access
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1555.005	Password Managers	Credential Access
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1003.004	LSA Secrets	Credential Access
T1003.001	LSASS Memory	Credential Access
T1599	Network Boundary Bridging	Defense Evasion
T1003.003	NTDS	Credential Access
T1552	Unsecured Credentials	Credential Access
T1599.001	Network Address Translation Traversal	Defense Evasion
T1552.004	Private Keys	Credential Access
T1003.007	Proc Filesystem	Credential Access
T1003.002	Security Account Manager	Credential Access
T1110.003	Password Spraying	Credential Access
T1110.001	Password Guessing	Credential Access
T1072	Software Deployment Tools	Execution, Lateral Movement
T1556.005	Reversible Encryption	Credential Access, Defense Evasion, Persistence
T1563.001	SSH Hijacking	Lateral Movement
T1550.003	Pass the Ticket	Defense Evasion, Lateral Movement
T1552.002	Credentials in Registry	Credential Access
T1555	Credentials from Password Stores	Credential Access
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001	Credentials In Files	Credential Access
T1110	Brute Force	Credential Access
T1003.008	/etc/passwd and /etc/shadow	Credential Access
T1601.002	Downgrade System Image	Defense Evasion
T1555.001	Keychain	Credential Access
T1078.001	Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1537	Transfer Data to Cloud Account	Exfiltration
T1558.004	AS-REP Roasting	Credential Access

Showing 1 to 44 of 44 entries

CAF Outcome B1.b: Policy and Process Implementation

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Password Policies

Related ISA/IEC 62443 Controls

System use notification (SR 1.12)

Document and communicate security expectations and responsibilities (4.3.3.2.5)

Communicate the policies and procedures to the organisation (4.3.2.6.6)

Establish complimentary physical and cyber security policies (4.3.3.3.1)

Identify and implement corrective and preventive actions (4.4.3.4)

Require employees to follow security procedures (4.3.3.3.5)

Define cyber security policies and procedure compliance requirements (4.3.2.6.4)

Related ISO 27001 Controls

Working in secure areas (11.1.5)

Teleworking (6.2.2)

Clear desk and clear screen policy (11.2.9)

Access control policy (9.1.1)

Secure system engineering principles (14.2.5)

Information access restriction (9.4.1)

Handling of assets (8.2.3)

Management of secret authentication information of users (9.2.4)

Acceptable use of assets (8.1.3)

Key management (10.1.2)

Information transfer policies and procedures (13.2.1)

User access provisioning (9.2.2)

Collection of evidence (16.1.7)

Labelling of information (8.2.2)

Documented operating procedures (12.1.1)

Mobile Device Policy (6.2.1)

Management responsibilities (7.2.1)

Secure log-on procedures (9.4.2)

Use of secret authentication information (9.3.1)

Secure development policy (14.2.1)

Disciplinary process (7.2.3)

Management of removable media (8.3.1)

Compliance with security policies and standards (18.2.2)

Policy on the use of cryptographic controls (10.1.1)

User registration and de-registration (9.2.1)

Policies for information Security (5.1.1)

Related SP800-53 Controls

MITRE ATT&CK Techniques