CAF Outcome B1.a: Policy and Process Development

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B1.a: Policy and Process Development to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
RS.AN-5	Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
PR.IP-7	Protection processes are improved
ID.GV-3	Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
RC.IM-1	Recovery plans incorporate lessons learned
DE.DP-2	Detection activities comply with all applicable requirements
ID.GV-1	Organizational cybersecurity policy is established and communicated
RC.IM-2	Recovery strategies are updated

Showing 1 to 7 of 7 entries

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Develop security procedures (4.3.2.6.2)
ISA/IEC 62443-2-1:2009
Define information classification levels (4.3.4.4.2)
ISA/IEC 62443-2-1:2009
Disable access account after failed remote login attempts (4.3.3.6.7)
ISA/IEC 62443-2-1:2009
Establish triggers to evaluate CSMS (4.4.3.3)
ISA/IEC 62443-2-1:2009
Develop a policy for remote login and connections (4.3.3.6.6)
ISA/IEC 62443-2-1:2009
Develop an authentication strategy (4.3.3.6.1)
ISA/IEC 62443-2-1:2009
Develop lifecycle management processes for IACS information (4.3.4.4.1)
ISA/IEC 62443-2-1:2009
Address security responsibilities (4.3.3.2.4)
ISA/IEC 62443-2-1:2009
Evaluate the CSMS periodically (4.4.3.2)
ISA/IEC 62443-2-1:2009
Integrate cyber security and process safety management (PSM) change management procedures (4.3.4.3.5)
ISA/IEC 62443-2-1:2009
Personnel security (4.3.3.2.1)
ISA/IEC 62443-2-1:2009
Request and report employee feedback on security suggestions (4.4.3.8)
ISA/IEC 62443-2-1:2009
Develop security policies (4.3.2.6.1)
ISA/IEC 62443-2-1:2009
Review and maintain policies and procedures (4.3.4.3.6)
ISA/IEC 62443-2-1:2009
Maintain consistency between risk management systems (4.3.2.6.3)
ISA/IEC 62443-2-1:2009
Require security policies for system development or maintenance changes (4.3.4.3.4)
ISA/IEC 62443-2-1:2009
Require re-authentication after remote system inactivity (4.3.3.6.8)
ISA/IEC 62443-2-1:2009
Define an authorization security policy (4.3.3.7.1)
ISA/IEC 62443-2-1:2009
Access accounts implement authorization security policy (4.3.3.5.1)
ISA/IEC 62443-2-1:2009
Ensure appropriate records control (4.3.4.4.4)
ISA/IEC 62443-2-1:2009
Review and update the cyber security policies and procedures (4.3.2.6.7)
ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Technical compliance review (18.2.3)
ISO 27001:2013
Policy on the use of cryptographic controls (10.1.1)
ISO 27001:2013
Secure development policy (14.2.1)
ISO 27001:2013
Key management (10.1.2)
ISO 27001:2013
Handling of assets (8.2.3)
ISO 27001:2013
Information backup (12.3.1)
ISO 27001:2013
Labelling of information (8.2.2)
ISO 27001:2013
Regulation of cryptographic controls (18.1.5)
ISO 27001:2013
Implementing information security continuity (17.1.2)
ISO 27001:2013
Intellectual property rights (18.1.2)
ISO 27001:2013
Information security requirements analysis and specification (14.1.1)
ISO 27001:2013
Independent review of information security (18.2.1)
ISO 27001:2013
Identification of applicable legislation and contractual requirements (18.1.1)
ISO 27001:2013
Clear desk and clear screen policy (11.2.9)
ISO 27001:2013
Verify, review, and evaluate information security continuity (17.1.3)
ISO 27001:2013
System acceptance testing (14.2.9)
ISO 27001:2013
Review of the policies for information security (5.1.2)
ISO 27001:2013
Use of secret authentication information (9.3.1)
ISO 27001:2013
Secure system engineering principles (14.2.5)
ISO 27001:2013
Policies for information Security (5.1.1)
ISO 27001:2013
Documented operating procedures (12.1.1)
ISO 27001:2013
Change management (12.1.2)
ISO 27001:2013
Access control policy (9.1.1)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
PM-15: Security and Privacy Groups and Associations
SI-5: Security Alerts, Advisories, and Directives
PM-6: Measures of Performance
CP-2: Contingency Plan
IR-8: Incident Response Plan
CA-2: Control Assessments
CA-7: Continuous Monitoring
PL-2: System Security and Privacy Plans
IR-4: Incident Handling
SA-18: Tamper Resistance and Detection
PM-14: Testing, Training, and Monitoring
AC-25: Reference Monitor
SI-4: System Monitoring

Showing 1 to 13 of 13 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

Search:

ATT&CK ID	Title	Associated Tactics
T1553.004	Install Root Certificate	Defense Evasion
T1546.008	Accessibility Features	Persistence, Privilege Escalation
T1563.002	RDP Hijacking	Lateral Movement
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1556.008	Network Provider DLL	Credential Access, Defense Evasion, Persistence
T1021.001	Remote Desktop Protocol	Lateral Movement
T1011.001	Exfiltration Over Bluetooth	Exfiltration
T1087.001	Local Account	Discovery
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1092	Communication Through Removable Media	Command and Control
T1136	Create Account	Persistence
T1003.002	Security Account Manager	Credential Access
T1053.002	At	Execution, Persistence, Privilege Escalation
T1197	BITS Jobs	Defense Evasion, Persistence
T1003.005	Cached Domain Credentials	Credential Access
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1087	Account Discovery	Discovery
T1135	Network Share Discovery	Discovery
T1003	OS Credential Dumping	Credential Access
T1490	Inhibit System Recovery	Impact
T1011	Exfiltration Over Other Network Medium	Exfiltration
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1556.002	Password Filter DLL	Credential Access, Defense Evasion, Persistence
T1574.006	Dynamic Linker Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1552	Unsecured Credentials	Credential Access
T1543.003	Windows Service	Persistence, Privilege Escalation
T1548.001	Setuid and Setgid	Defense Evasion, Privilege Escalation
T1098	Account Manipulation	Persistence, Privilege Escalation
T1562.003	Impair Command History Logging	Defense Evasion
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1136.002	Domain Account	Persistence
T1087.002	Domain Account	Discovery
T1553	Subvert Trust Controls	Defense Evasion
T1552.003	Bash History	Credential Access
T1003.001	LSASS Memory	Credential Access
T1564.002	Hidden Users	Defense Evasion
T1036.007	Double File Extension	Defense Evasion
T1656	Impersonation	Defense Evasion
T1210	Exploitation of Remote Services	Lateral Movement
T1211	Exploitation for Defense Evasion	Defense Evasion
T1212	Exploitation for Credential Access	Credential Access
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1201	Password Policy Discovery	Discovery
T1003.006	DCSync	Credential Access
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1187	Forced Authentication	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access

Showing 1 to 50 of 82 entries

CAF Outcome B1.a: Policy and Process Development

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Operating System Configuration

Threat Intelligence Program

Password Policies

Related ISA/IEC 62443 Controls

Develop security procedures (4.3.2.6.2)

Define information classification levels (4.3.4.4.2)

Disable access account after failed remote login attempts (4.3.3.6.7)

Establish triggers to evaluate CSMS (4.4.3.3)

Develop a policy for remote login and connections (4.3.3.6.6)

Develop an authentication strategy (4.3.3.6.1)

Develop lifecycle management processes for IACS information (4.3.4.4.1)

Address security responsibilities (4.3.3.2.4)

Evaluate the CSMS periodically (4.4.3.2)

Integrate cyber security and process safety management (PSM) change management procedures (4.3.4.3.5)

Personnel security (4.3.3.2.1)

Request and report employee feedback on security suggestions (4.4.3.8)

Develop security policies (4.3.2.6.1)

Review and maintain policies and procedures (4.3.4.3.6)

Maintain consistency between risk management systems (4.3.2.6.3)

Require security policies for system development or maintenance changes (4.3.4.3.4)

Require re-authentication after remote system inactivity (4.3.3.6.8)

Define an authorization security policy (4.3.3.7.1)

Access accounts implement authorization security policy (4.3.3.5.1)

Ensure appropriate records control (4.3.4.4.4)

Review and update the cyber security policies and procedures (4.3.2.6.7)

Related ISO 27001 Controls

Technical compliance review (18.2.3)

Policy on the use of cryptographic controls (10.1.1)

Secure development policy (14.2.1)

Key management (10.1.2)

Handling of assets (8.2.3)

Information backup (12.3.1)

Labelling of information (8.2.2)

Regulation of cryptographic controls (18.1.5)

Implementing information security continuity (17.1.2)

Intellectual property rights (18.1.2)

Information security requirements analysis and specification (14.1.1)

Independent review of information security (18.2.1)

Identification of applicable legislation and contractual requirements (18.1.1)

Clear desk and clear screen policy (11.2.9)

Verify, review, and evaluate information security continuity (17.1.3)

System acceptance testing (14.2.9)

Review of the policies for information security (5.1.2)

Use of secret authentication information (9.3.1)

Secure system engineering principles (14.2.5)

Policies for information Security (5.1.1)

Documented operating procedures (12.1.1)

Change management (12.1.2)

Access control policy (9.1.1)

Related SP800-53 Controls

MITRE ATT&CK Techniques