CAF Outcome B6.a: Cyber Security Culture

You develop and pursue a positive cyber security culture.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

B6.a: Cyber Security Culture to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
RS.CO-2	Incidents are reported consistent with established criteria
PR.AT-2	Privileged users understand their roles and responsibilities
PR.AT-4	Senior executives understand their roles and responsibilities
RS.CO-3	Information is shared consistent with response plans
ID.BE-3	Priorities for organizational mission, objectives, and activities are established and communicated
DE.DP-4	Event detection information is communicated
PR.AT-5	Physical and cybersecurity personnel understand their roles and responsibilities
PR.IP-11	Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
DE.DP-1	Roles and responsibilities for detection are well defined to ensure accountability
ID.GV-2	Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
PR.AT-1	All users are informed and trained

Showing 1 to 11 of 11 entries

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Educate employees on reporting cyber security incidents (4.3.4.5.4)
ISA/IEC 62443-2-1:2009
Document and communicate security expectations and responsibilities (4.3.3.2.5)
ISA/IEC 62443-2-1:2009
Report cyber security incidents in a timely manner (4.3.4.5.5)
ISA/IEC 62443-2-1:2009
Establish a reporting procedure for unusual activities and events (4.3.4.5.3)
ISA/IEC 62443-2-1:2009

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
IR-8: Incident Response Plan
AU-6: Audit Record Review, Analysis, and Reporting
IR-6: Incident Reporting
AT-3: Role-based Training
PM-13: Security and Privacy Workforce
RA-5: Vulnerability Monitoring and Scanning
IR-4: Incident Handling
CA-2: Control Assessments
CP-2: Contingency Plan
PE-6: Monitoring Physical Access
CA-7: Continuous Monitoring
SI-4: System Monitoring
SA-14: Criticality Analysis
PM-11: Mission and Business Process Definition
IR-2: Incident Response Training
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer
PM-14: Testing, Training, and Monitoring
PM-2: Information Security Program Leadership Role
PM-1: Information Security Program Plan
AT-2: Literacy Training and Awareness

Showing 1 to 28 of 28 entries