An Assured Service Provider of Cyber Incident Exercising services can help your organisation build resilience by adopting the CAF framework
The National Cyber Security Centre (NCSC) was formed by the government in 2016 as the UK’s technical authority for cyber security. As threats from the internet grow ever more prevalent and complex, individuals and organisations need to understand cyber security and take steps to protect themselves. NCSC supports the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public. When incidents do occur, they provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.
In recent years, the National Cyber Security Centre (NCSC) has produced world-leading cyber security guidance and frameworks, such as their Guidelines for secure AI system development, the Cyber Essentials scheme and the Cyber Assessment Framework (CAF).
In this blog, we’re going to explore the Cyber Assessment Framework and how the Cyber Incident Exercising scheme can help organisations meet the CAF objectives and build resilience.
The Cyber Assessment Framework is a comprehensive tool developed by the NCSC and first released in 2018. The framework was designed to help organisations assess and improve their cyber resilience, particularly those responsible for essential functions that are critical to society’s day-to-day operations. It is particularly aimed at organisations that are part of the Critical National Infrastructure (CNI) such as energy and water supply, transportation, health and telecommunications and organisations subject to certain types of cyber regulation, including the Security of Networks & Information Systems (NIS). The CAF provides a structured and methodical way of evaluating a company’s cyber risk and maintain its essential functions, thereby managing the risk of significant economic, societal, or environmental damage.
The CAF is now being used more widely, beyond the context of CNI organisations and cyber regulated sectors. Adoption of the CAF provides a common framework for government organisations, in particular, the local government sector. It can also be used by a wide range of UK businesses, charities, and public sector organisations to assess and improve their cyber resilience.
The CAF is outcome-focused rather than prescriptive, meaning it outlines the desired results of good cyber security practices without dictating the exact steps to achieve them. This approach allows for flexibility and acknowledges that different organisations may have unique ways of reaching these outcomes. The framework includes four high-level objectives, A-managing security risk, B-protecting against cyber attack, C-detecting cyber security events and D-minimising the impact of incidents. Grouped under each of the four objectives are 14 underlying principles, each supported by Indicators of Good Practice (IGPs) that guide organisations in demonstrating their level of cyber resilience.
Organisations can use the CAF for self-assessment or through independent audits, with the latter often providing a more accurate picture of an organisation’s cyber resilience. The CAF is sector-agnostic but can be extended to include sector-specific elements if necessary.
The CAF’s principles and IGPs serve as a benchmark for organisations to measure their cyber security posture and make informed decisions about risk management, asset management, supply chain security, and governance.
Minimising the impact of cyber security incidents
Despite the best cyber security efforts, all organisations are at risk of a cyber attack, accidental damage or a natural disaster, and it makes good sense to have a planned and practiced procedure in case of an event. A resilient company is one that will be able to respond to an incident, keep operating through it, and eventually recover.
The last of the four CAF objectives is Objective D – Minimise the Impact of Cyber Security Incidents. It is designed to ensure that organisations implement measures to both mitigate and recuperate from the detrimental effects of a cyber security incident, particularly those affecting critical business operations.
There are two principles that are grouped under objective D with details below:
- D1: Response and Recovery Planning
A critical element of preparedness is incident response planning, which should be based on thorough risk assessments of both information technology and operation technology environments as they relate to the business. The response plan should encompass all potential incidents that could affect the organisation’s business functions and be auditable and testable across a variety of realistic scenarios. Regular testing and exercises are effective ways to rehearse this process in a controlled setting and to validate the effectiveness of backup systems and response plans.
- D2: Lessons Learned
When a security incident occurs, it’s critical for an organisation to learn from the experience of detecting and managing it and, where possible, to take steps to reduce the likelihood of a similar event in the future.
Since cyber security is an ongoing process, Principle D2 states that organisations continuously apply the knowledge gained from cyber security incidents to enhance their practices.
The role of Cyber Incident Exercising
Cyber incident exercising (CIE) can be used as a practical method to test and validate some of the outcomes outlined in the CAF, particularly those related to incident management. By conducting cyber incident exercises, an organisation can assess its readiness and ability to respond to incidents and identify weaknesses in their incident management strategies.
The outcomes of these exercises are crucial for informing the CAF assessment process, pinpointing areas for improvement in cyber security measures. This creates a feedback loop where insights from CIE inform enhancements to the CAF, fostering a cycle of continuous improvement in cyber security resilience. By regularly exercising, organisations can better understand the cyber risks they face and develop more effective strategies to manage them.
NCSC Assured Service Providers for Cyber Incident Exercising services
The Cyber Incident Exercising (CIE) scheme was designed to help organisations test their incident response plan with a provider who has been assured by the NCSC. The assurance process ensures that the provider meets the NCSC’s rigorous standards for high quality cyber incident exercising, with sufficient skills and experience of running table-top and live-play exercises.
The scheme’s remit covers organisationally significant incidents that have the potential for considerable [AB3] operational, financial, or regulatory impacts on the victim. The scheme covers Category 3, 4 and 5 incidents on the UK’s Cyber Attack categorisation system. CIE Assured Service Providers can support a wide range of UK businesses, charities, public sector, and government organisations to rehearse, evaluate and improve their cyber incident response plans.
Those *organisations who are likely to face Category 1 and 2 incidents should seek help from a CIR Enhanced Level Assured Service Provider.
*this includes organisations that face targeted cyber attacks by nation-state-backed actors, organisations that operate in more than one country or in a regulated sector, and organisation that are part of UK Central Government or the Critical National Infrastructure.
You can find a list of NCSC Assured Cyber Incident Exercising providers here.