CAF Outcome B5.a: Resilience Preparation

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You are prepared to restore the operation of your essential function following adverse impact.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B5.a: Resilience Preparation to CSF mappings generated from UK Cabinet Office table.

Search:

Control ID	Description
PR.IP-9	Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
DE.CM-4	Malicious code is detected
RS.MI-1	Incidents are contained
RS.CO-1	Personnel know their roles and order of operations when a response is needed
PR.PT-5	Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
ID.SC-5	Response and recovery planning and testing are conducted with suppliers and third-party providers
PR.IP-4	Backups of information are conducted, maintained, and tested
PR.IP-10	Response and recovery plans are tested
PR.IP-3	Configuration change control processes are in place
ID.RA-2	Cyber threat intelligence is received from information sharing forums and sources
RS.AN-5	Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

Showing 1 to 11 of 11 entries

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Remote Data Storage

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Test and update the business continuity plan (4.3.2.5.7)
ISA/IEC 62443-2-1:2009
Create the backup procedures that support business continuity plan (4.3.2.5.6)
ISA/IEC 62443-2-1:2009
Develop and implement business continuity plans (4.3.2.5.3)
ISA/IEC 62443-2-1:2009
Establish procedures for the interim protection of critical assets (4.3.3.3.10)
ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Protecting against external and environmental threats (11.1.4)
ISO 27001:2013
Implementing information security continuity (17.1.2)
ISO 27001:2013
Contact with special interest groups (6.1.4)
ISO 27001:2013
Protection of records (18.1.3)
ISO 27001:2013
Planning information security continuity (17.1.1)
ISO 27001:2013
Controls against malware (12.2.1)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Node
IR-8: Incident Response Plan
CP-2: Contingency Plan
PE-17: Alternate Work Site
IR-7: Incident Response Assistance
CP-7: Alternate Processing Site
CP-13: Alternative Security Mechanisms
CP-12: Safe Mode
IR-9: Information Spillage Response
SI-8: Spam Protection
SI-3: Malicious Code Protection
IR-4: Incident Handling
IR-3: Incident Response Testing
CP-3: Contingency Training
SC-6: Resource Availability
CP-8: Telecommunications Services
CP-11: Alternate Communications Protocols
PL-8: Security and Privacy Architectures
SA-14: Criticality Analysis
IR-6: Incident Reporting
CP-4: Contingency Plan Testing
CP-6: Alternate Storage Site
CP-9: System Backup
PM-14: Testing, Training, and Monitoring
CM-3: Configuration Change Control
CM-4: Impact Analyses
SA-10: Developer Configuration Management
PM-16: Threat Awareness Program
PM-15: Security and Privacy Groups and Associations
SI-5: Security Alerts, Advisories, and Directives

Showing 1 to 29 of 29 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

Search:

ATT&CK ID	Title	Associated Tactics
T1119	Automated Collection	Collection
T1070.003	Clear Command History	Defense Evasion
T1072	Software Deployment Tools	Execution, Lateral Movement
T1565	Data Manipulation	Impact
T1565.001	Stored Data Manipulation	Impact
T1070	Indicator Removal	Defense Evasion
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1070.009	Clear Persistence	Defense Evasion
T1070.007	Clear Network Connection History and Configurations	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1070.008	Clear Mailbox Data	Defense Evasion
T1656	Impersonation	Defense Evasion
T1210	Exploitation of Remote Services	Lateral Movement
T1211	Exploitation for Defense Evasion	Defense Evasion
T1212	Exploitation for Credential Access	Credential Access
T1068	Exploitation for Privilege Escalation	Privilege Escalation

Showing 1 to 16 of 16 entries

CAF Outcome B5.a: Resilience Preparation

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Remote Data Storage

Threat Intelligence Program

Related ISA/IEC 62443 Controls

Test and update the business continuity plan (4.3.2.5.7)

Create the backup procedures that support business continuity plan (4.3.2.5.6)

Develop and implement business continuity plans (4.3.2.5.3)

Establish procedures for the interim protection of critical assets (4.3.3.3.10)

Related ISO 27001 Controls

Protecting against external and environmental threats (11.1.4)

Implementing information security continuity (17.1.2)

Contact with special interest groups (6.1.4)

Protection of records (18.1.3)

Planning information security continuity (17.1.1)

Controls against malware (12.2.1)

Related SP800-53 Controls

MITRE ATT&CK Techniques