CAF Outcome B1.a: Policy and Process Development

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have developed and continue to improve a set of cyber security and resilience policies and processes that manage and mitigate the risk of adverse impact on the essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B1.a: Policy and Process Development to CSF mappings generated from UK Cabinet Office table.

Control ID Description
RS.AN-5 Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
PR.IP-7 Protection processes are improved
ID.GV-3 Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
RC.IM-1 Recovery plans incorporate lessons learned
DE.DP-2 Detection activities comply with all applicable requirements
ID.GV-1 Organizational cybersecurity policy is established and communicated
RC.IM-2 Recovery strategies are updated

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Develop security procedures (4.3.2.6.2)
    ISA/IEC 62443-2-1:2009
  • Define information classification levels (4.3.4.4.2)
    ISA/IEC 62443-2-1:2009
  • Disable access account after failed remote login attempts (4.3.3.6.7)
    ISA/IEC 62443-2-1:2009
  • Establish triggers to evaluate CSMS (4.4.3.3)
    ISA/IEC 62443-2-1:2009
  • Develop a policy for remote login and connections (4.3.3.6.6)
    ISA/IEC 62443-2-1:2009
  • Develop an authentication strategy (4.3.3.6.1)
    ISA/IEC 62443-2-1:2009
  • Develop lifecycle management processes for IACS information (4.3.4.4.1)
    ISA/IEC 62443-2-1:2009
  • Address security responsibilities (4.3.3.2.4)
    ISA/IEC 62443-2-1:2009
  • Evaluate the CSMS periodically (4.4.3.2)
    ISA/IEC 62443-2-1:2009
  • Integrate cyber security and process safety management (PSM) change management procedures (4.3.4.3.5)
    ISA/IEC 62443-2-1:2009
  • Personnel security (4.3.3.2.1)
    ISA/IEC 62443-2-1:2009
  • Request and report employee feedback on security suggestions (4.4.3.8)
    ISA/IEC 62443-2-1:2009
  • Develop security policies (4.3.2.6.1)
    ISA/IEC 62443-2-1:2009
  • Review and maintain policies and procedures (4.3.4.3.6)
    ISA/IEC 62443-2-1:2009
  • Maintain consistency between risk management systems (4.3.2.6.3)
    ISA/IEC 62443-2-1:2009
  • Require security policies for system development or maintenance changes (4.3.4.3.4)
    ISA/IEC 62443-2-1:2009
  • Require re-authentication after remote system inactivity (4.3.3.6.8)
    ISA/IEC 62443-2-1:2009
  • Define an authorization security policy (4.3.3.7.1)
    ISA/IEC 62443-2-1:2009
  • Access accounts implement authorization security policy (4.3.3.5.1)
    ISA/IEC 62443-2-1:2009
  • Ensure appropriate records control (4.3.4.4.4)
    ISA/IEC 62443-2-1:2009
  • Review and update the cyber security policies and procedures (4.3.2.6.7)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Technical compliance review (18.2.3)
    ISO 27001:2013
  • Policy on the use of cryptographic controls (10.1.1)
    ISO 27001:2013
  • Secure development policy (14.2.1)
    ISO 27001:2013
  • Key management (10.1.2)
    ISO 27001:2013
  • Handling of assets (8.2.3)
    ISO 27001:2013
  • Information backup (12.3.1)
    ISO 27001:2013
  • Labelling of information (8.2.2)
    ISO 27001:2013
  • Regulation of cryptographic controls (18.1.5)
    ISO 27001:2013
  • Implementing information security continuity (17.1.2)
    ISO 27001:2013
  • Intellectual property rights (18.1.2)
    ISO 27001:2013
  • Information security requirements analysis and specification (14.1.1)
    ISO 27001:2013
  • Independent review of information security (18.2.1)
    ISO 27001:2013
  • Identification of applicable legislation and contractual requirements (18.1.1)
    ISO 27001:2013
  • Clear desk and clear screen policy (11.2.9)
    ISO 27001:2013
  • Verify, review, and evaluate information security continuity (17.1.3)
    ISO 27001:2013
  • System acceptance testing (14.2.9)
    ISO 27001:2013
  • Review of the policies for information security (5.1.2)
    ISO 27001:2013
  • Use of secret authentication information (9.3.1)
    ISO 27001:2013
  • Secure system engineering principles (14.2.5)
    ISO 27001:2013
  • Policies for information Security (5.1.1)
    ISO 27001:2013
  • Documented operating procedures (12.1.1)
    ISO 27001:2013
  • Change management (12.1.2)
    ISO 27001:2013
  • Access control policy (9.1.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
PM-15: Security and Privacy Groups and Associations
SI-5: Security Alerts, Advisories, and Directives
PM-6: Measures of Performance
CP-2: Contingency Plan
IR-8: Incident Response Plan
CA-2: Control Assessments
CA-7: Continuous Monitoring
PL-2: System Security and Privacy Plans
IR-4: Incident Handling
SA-18: Tamper Resistance and Detection
PM-14: Testing, Training, and Monitoring
AC-25: Reference Monitor
SI-4: System Monitoring

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1553.004 Install Root Certificate Defense Evasion
T1546.008 Accessibility Features Persistence, Privilege Escalation
T1563.002 RDP Hijacking Lateral Movement
T1548.003 Sudo and Sudo Caching Defense Evasion, Privilege Escalation
T1556.008 Network Provider DLL Credential Access, Defense Evasion, Persistence
T1021.001 Remote Desktop Protocol Lateral Movement
T1011.001 Exfiltration Over Bluetooth Exfiltration
T1087.001 Local Account Discovery
T1542.005 TFTP Boot Defense Evasion, Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1092 Communication Through Removable Media Command and Control
T1136 Create Account Persistence
T1003.002 Security Account Manager Credential Access
T1053.002 At Execution, Persistence, Privilege Escalation
T1197 BITS Jobs Defense Evasion, Persistence
T1003.005 Cached Domain Credentials Credential Access
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1087 Account Discovery Discovery
T1135 Network Share Discovery Discovery
T1003 OS Credential Dumping Credential Access
T1490 Inhibit System Recovery Impact
T1011 Exfiltration Over Other Network Medium Exfiltration
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1556.002 Password Filter DLL Credential Access, Defense Evasion, Persistence
T1574.006 Dynamic Linker Hijacking Defense Evasion, Persistence, Privilege Escalation
T1552 Unsecured Credentials Credential Access
T1543.003 Windows Service Persistence, Privilege Escalation
T1548.001 Setuid and Setgid Defense Evasion, Privilege Escalation
T1098 Account Manipulation Persistence, Privilege Escalation
T1562.003 Impair Command History Logging Defense Evasion
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1136.002 Domain Account Persistence
T1087.002 Domain Account Discovery
T1553 Subvert Trust Controls Defense Evasion
T1552.003 Bash History Credential Access
T1003.001 LSASS Memory Credential Access
T1564.002 Hidden Users Defense Evasion
T1036.007 Double File Extension Defense Evasion
T1656 Impersonation Defense Evasion
T1210 Exploitation of Remote Services Lateral Movement
T1211 Exploitation for Defense Evasion Defense Evasion
T1212 Exploitation for Credential Access Credential Access
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1201 Password Policy Discovery Discovery
T1003.006 DCSync Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access
T1187 Forced Authentication Credential Access
T1555.003 Credentials from Web Browsers Credential Access
T1110.004 Credential Stuffing Credential Access
T1601 Modify System Image Defense Evasion
T1601.001 Patch System Image Defense Evasion
T1110.002 Password Cracking Credential Access
T1558.002 Silver Ticket Credential Access
T1558.003 Kerberoasting Credential Access
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1555.005 Password Managers Credential Access
T1003.004 LSA Secrets Credential Access
T1599 Network Boundary Bridging Defense Evasion
T1003.003 NTDS Credential Access
T1599.001 Network Address Translation Traversal Defense Evasion
T1552.004 Private Keys Credential Access
T1003.007 Proc Filesystem Credential Access
T1110.003 Password Spraying Credential Access
T1110.001 Password Guessing Credential Access
T1072 Software Deployment Tools Execution, Lateral Movement
T1556.005 Reversible Encryption Credential Access, Defense Evasion, Persistence
T1563.001 SSH Hijacking Lateral Movement
T1550.003 Pass the Ticket Defense Evasion, Lateral Movement
T1552.002 Credentials in Registry Credential Access
T1555 Credentials from Password Stores Credential Access
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1552.001 Credentials In Files Credential Access
T1110 Brute Force Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1601.002 Downgrade System Image Defense Evasion
T1555.001 Keychain Credential Access
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1537 Transfer Data to Cloud Account Exfiltration
T1558.004 AS-REP Roasting Credential Access