CAF Outcome D1.b: Response and Recovery Capability

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

D1.b: Response and Recovery Capability to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
ID.SC-5	Response and recovery planning and testing are conducted with suppliers and third-party providers
PR.IP-9	Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
RS.AN-3	Forensics are performed
RS.CO-1	Personnel know their roles and order of operations when a response is needed
PR.PT-5	Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
RS.CO-3	Information is shared consistent with response plans

Showing 1 to 6 of 6 entries

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Data Backup

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Resource management (SR 7.2)
ISA/IEC 62443-3-3:2013
Denial of service protection (SR 7.1)
ISA/IEC 62443-3-3:2013
Emergency power (SR 7.5)
ISA/IEC 62443-3-3:2013
Establish backup and restoration procedure (4.3.4.3.9)
ISA/IEC 62443-2-1:2009

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
IR-4: Incident Handling
IR-3: Incident Response Testing
IR-6: Incident Reporting
CP-4: Contingency Plan Testing
IR-8: Incident Response Plan
CP-2: Contingency Plan
IR-9: Information Spillage Response
PE-17: Alternate Work Site
IR-7: Incident Response Assistance
CP-7: Alternate Processing Site
CP-13: Alternative Security Mechanisms
CP-12: Safe Mode
AU-7: Audit Record Reduction and Report Generation
CP-3: Contingency Training
SC-6: Resource Availability
CP-8: Telecommunications Services
CP-11: Alternate Communications Protocols
PL-8: Security and Privacy Architectures
SA-14: Criticality Analysis
RA-5: Vulnerability Monitoring and Scanning
CA-2: Control Assessments
PE-6: Monitoring Physical Access
CA-7: Continuous Monitoring
SI-4: System Monitoring

Showing 1 to 24 of 24 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

Search:

ATT&CK ID	Title	Associated Tactics
T1490	Inhibit System Recovery	Impact
T1485	Data Destruction	Impact
T1561.002	Disk Structure Wipe	Impact
T1491.002	External Defacement	Impact
T1561.001	Disk Content Wipe	Impact
T1486	Data Encrypted for Impact	Impact
T1491.001	Internal Defacement	Impact
T1561	Disk Wipe	Impact
T1491	Defacement	Impact

Showing 1 to 9 of 9 entries

CAF Outcome D1.b: Response and Recovery Capability

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Data Backup

Related ISA/IEC 62443 Controls

Resource management (SR 7.2)

Denial of service protection (SR 7.1)

Emergency power (SR 7.5)

Establish backup and restoration procedure (4.3.4.3.9)

Related SP800-53 Controls

MITRE ATT&CK Techniques