CAF Outcome B3.c: Stored Data
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You have protected stored data important to the operation of the essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B3.c: Stored Data to CSF mappings generated from UK Cabinet Office table.
Control ID | Description |
---|---|
PR.PT-2 | Removable media is protected and its use restricted according to policy |
PR.AC-2 | Physical access to assets is managed and protected |
PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
PR.IP-4 | Backups of information are conducted, maintained, and tested |
PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
PR.DS-5 | Protections against data leaks are implemented |
PR.DS-1 | Data-at-rest is protected |
PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Data Backup
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Public key infrastructure (PKI) certificates (SR 1.8)
ISA/IEC 62443-3-3:2013 -
Control system backup (SR 7.3)
ISA/IEC 62443-3-3:2013 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
Use of cryptography (SR 4.3)
ISA/IEC 62443-3-3:2013 -
Software and information integrity (SR 3.4)
ISA/IEC 62443-3-3:2013 -
Information confidentiality (SR 4.1)
ISA/IEC 62443-3-3:2013 -
Strength of public key authentication (SR 1.9)
ISA/IEC 62443-3-3:2013 -
Protect assets against environmental damage (4.3.3.3.4)
ISA/IEC 62443-2-1:2009 -
Provide entry controls (4.3.3.3.3)
ISA/IEC 62443-2-1:2009 -
Establish physical security perimeters (4.3.3.3.2)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Access control to program source code (9.4.5)
ISO 27001:2013 -
Information backup (12.3.1)
ISO 27001:2013 -
System acceptance testing (14.2.9)
ISO 27001:2013 -
Physical security perimeter (11.1.1)
ISO 27001:2013 -
Protection of records (18.1.3)
ISO 27001:2013 -
Privacy and protection of personally identifiable information (18.1.4)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
ATT&CK ID | Title | Associated Tactics |
---|---|---|
T1119 | Automated Collection | Collection |
T1070.003 | Clear Command History | Defense Evasion |
T1072 | Software Deployment Tools | Execution, Lateral Movement |
T1565 | Data Manipulation | Impact |
T1565.001 | Stored Data Manipulation | Impact |
T1070 | Indicator Removal | Defense Evasion |
T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
T1070.009 | Clear Persistence | Defense Evasion |
T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
T1070.001 | Clear Windows Event Logs | Defense Evasion |
T1070.008 | Clear Mailbox Data | Defense Evasion |
T1114.002 | Remote Email Collection | Collection |
T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
T1003 | OS Credential Dumping | Credential Access |
T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
T1020.001 | Traffic Duplication | Exfiltration |
T1558 | Steal or Forge Kerberos Tickets | Credential Access |
T1602.002 | Network Device Configuration Dump | Collection |
T1565.002 | Transmitted Data Manipulation | Impact |
T1557 | Adversary-in-the-Middle | Collection, Credential Access |
T1558.004 | AS-REP Roasting | Credential Access |
T1659 | Content Injection | Command and Control, Initial Access |
T1114 | Email Collection | Collection |
T1602.001 | SNMP (MIB Dump) | Collection |
T1040 | Network Sniffing | Credential Access, Discovery |
T1552 | Unsecured Credentials | Credential Access |
T1602 | Data from Configuration Repository | Collection |
T1558.002 | Silver Ticket | Credential Access |
T1114.001 | Local Email Collection | Collection |
T1114.003 | Email Forwarding Rule | Collection |
T1003.003 | NTDS | Credential Access |
T1552.004 | Private Keys | Credential Access |
T1649 | Steal or Forge Authentication Certificates | Credential Access |
T1530 | Data from Cloud Storage | Collection |
T1558.003 | Kerberoasting | Credential Access |
T1036.005 | Match Legitimate Name or Location | Defense Evasion |
T1037.005 | Startup Items | Persistence, Privilege Escalation |
T1562.002 | Disable Windows Event Logging | Defense Evasion |
T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
T1563.001 | SSH Hijacking | Lateral Movement |
T1552.001 | Credentials In Files | Credential Access |
T1036 | Masquerading | Defense Evasion |
T1569 | System Services | Execution |
T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
T1489 | Service Stop | Impact |
T1562.004 | Disable or Modify System Firewall | Defense Evasion |
T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |