CAF Outcome B5.a: Resilience Preparation

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You are prepared to restore the operation of your essential function following adverse impact.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B5.a: Resilience Preparation to CSF mappings generated from UK Cabinet Office table.

Control ID Description
PR.IP-9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
DE.CM-4 Malicious code is detected
RS.MI-1 Incidents are contained
RS.CO-1 Personnel know their roles and order of operations when a response is needed
PR.PT-5 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
ID.SC-5 Response and recovery planning and testing are conducted with suppliers and third-party providers
PR.IP-4 Backups of information are conducted, maintained, and tested
PR.IP-10 Response and recovery plans are tested
PR.IP-3 Configuration change control processes are in place
ID.RA-2 Cyber threat intelligence is received from information sharing forums and sources
RS.AN-5 Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Test and update the business continuity plan (4.3.2.5.7)
    ISA/IEC 62443-2-1:2009
  • Create the backup procedures that support business continuity plan (4.3.2.5.6)
    ISA/IEC 62443-2-1:2009
  • Develop and implement business continuity plans (4.3.2.5.3)
    ISA/IEC 62443-2-1:2009
  • Establish procedures for the interim protection of critical assets (4.3.3.3.10)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Protecting against external and environmental threats (11.1.4)
    ISO 27001:2013
  • Implementing information security continuity (17.1.2)
    ISO 27001:2013
  • Contact with special interest groups (6.1.4)
    ISO 27001:2013
  • Protection of records (18.1.3)
    ISO 27001:2013
  • Planning information security continuity (17.1.1)
    ISO 27001:2013
  • Controls against malware (12.2.1)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
IR-8: Incident Response Plan
CP-2: Contingency Plan
PE-17: Alternate Work Site
IR-7: Incident Response Assistance
CP-7: Alternate Processing Site
CP-13: Alternative Security Mechanisms
CP-12: Safe Mode
IR-9: Information Spillage Response
SI-8: Spam Protection
SI-3: Malicious Code Protection
IR-4: Incident Handling
IR-3: Incident Response Testing
CP-3: Contingency Training
SC-6: Resource Availability
CP-8: Telecommunications Services
CP-11: Alternate Communications Protocols
PL-8: Security and Privacy Architectures
SA-14: Criticality Analysis
IR-6: Incident Reporting
CP-4: Contingency Plan Testing
CP-6: Alternate Storage Site
CP-9: System Backup
PM-14: Testing, Training, and Monitoring
CM-3: Configuration Change Control
CM-4: Impact Analyses
SA-10: Developer Configuration Management
PM-16: Threat Awareness Program
PM-15: Security and Privacy Groups and Associations
SI-5: Security Alerts, Advisories, and Directives

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1119 Automated Collection Collection
T1070.003 Clear Command History Defense Evasion
T1072 Software Deployment Tools Execution, Lateral Movement
T1565 Data Manipulation Impact
T1565.001 Stored Data Manipulation Impact
T1070 Indicator Removal Defense Evasion
T1070.002 Clear Linux or Mac System Logs Defense Evasion
T1070.009 Clear Persistence Defense Evasion
T1070.007 Clear Network Connection History and Configurations Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1070.008 Clear Mailbox Data Defense Evasion
T1656 Impersonation Defense Evasion
T1210 Exploitation of Remote Services Lateral Movement
T1211 Exploitation for Defense Evasion Defense Evasion
T1212 Exploitation for Credential Access Credential Access
T1068 Exploitation for Privilege Escalation Privilege Escalation