CAF Outcome B5.c: Backups

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You hold accessible and secured current backups of data and information needed to recover operation of your essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B5.c: Backups to CSF mappings generated from UK Cabinet Office table.

Control ID Description
PR.PT-5 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
PR.IP-4 Backups of information are conducted, maintained, and tested

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Control system backup (SR 7.3)
    ISA/IEC 62443-3-3:2013
  • Create the backup procedures that support business continuity plan (4.3.2.5.6)
    ISA/IEC 62443-2-1:2009
  • Establish backup and restoration procedure (4.3.4.3.9)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Capacity management (12.1.3)
    ISO 27001:2013
  • Information backup (12.3.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
SC-6: Resource Availability
CP-8: Telecommunications Services
CP-11: Alternate Communications Protocols
CP-13: Alternative Security Mechanisms
PL-8: Security and Privacy Architectures
SA-14: Criticality Analysis
CP-7: Alternate Processing Site
CP-4: Contingency Plan Testing
CP-6: Alternate Storage Site
CP-9: System Backup

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1119 Automated Collection Collection
T1070.003 Clear Command History Defense Evasion
T1072 Software Deployment Tools Execution, Lateral Movement
T1565 Data Manipulation Impact
T1565.001 Stored Data Manipulation Impact
T1070 Indicator Removal Defense Evasion
T1070.002 Clear Linux or Mac System Logs Defense Evasion
T1070.009 Clear Persistence Defense Evasion
T1070.007 Clear Network Connection History and Configurations Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1070.008 Clear Mailbox Data Defense Evasion
T1490 Inhibit System Recovery Impact
T1485 Data Destruction Impact
T1561.002 Disk Structure Wipe Impact
T1491.002 External Defacement Impact
T1561.001 Disk Content Wipe Impact
T1486 Data Encrypted for Impact Impact
T1491.001 Internal Defacement Impact
T1561 Disk Wipe Impact
T1491 Defacement Impact
T1114.002 Remote Email Collection Collection
T1557.002 ARP Cache Poisoning Collection, Credential Access
T1003 OS Credential Dumping Credential Access
T1550.001 Application Access Token Defense Evasion, Lateral Movement
T1020.001 Traffic Duplication Exfiltration
T1558 Steal or Forge Kerberos Tickets Credential Access
T1602.002 Network Device Configuration Dump Collection
T1565.002 Transmitted Data Manipulation Impact
T1557 Adversary-in-the-Middle Collection, Credential Access
T1558.004 AS-REP Roasting Credential Access
T1659 Content Injection Command and Control, Initial Access
T1114 Email Collection Collection
T1602.001 SNMP (MIB Dump) Collection
T1040 Network Sniffing Credential Access, Discovery
T1552 Unsecured Credentials Credential Access
T1602 Data from Configuration Repository Collection
T1558.002 Silver Ticket Credential Access
T1114.001 Local Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1003.003 NTDS Credential Access
T1552.004 Private Keys Credential Access
T1649 Steal or Forge Authentication Certificates Credential Access
T1530 Data from Cloud Storage Collection
T1558.003 Kerberoasting Credential Access