Is your organisation de-CAF-inated?

Written by Christoan Smit

14 Feb, 2020

In this case, decaf is not necessarily a good thing. The NCSC has just released the latest CAF (Cyber Assessment Framework) to help especially large organisations or ones that are considered critical in the national infrastructure (think health care, water, electricity etc.) or are directly involved in public cyber security, to check that their own house is in order.

For most other organisations, the CAF is not compulsory, but there are a few very important and useful things to learn from CAF 3.0, no matter who you are or the size of your organisation.

Here is a brief synopsis on how your organisation can benefit, and some simple things to implement to help you become more secure online.

  1. Manage your security risks
  2. Defend yourself
  3. Monitoring & Detection
  4. Minimising the impact of an attack (because there will be one… sooner or later.)

Managing the risk

How does your organisation stack up against the next 4 points?

  1. At board level, there needs to be a recognition, support and promotion of cyber security, so that effective organisation-wide practices can be put in place.
  2. Roles and responsibilities need to be identified and assigned correctly.
  3. A sensible risk-management process needs to be put in place, and security measures need to be checked and validated.
  4. Asset management forms part of risk management – after all, you can’t really protect your assets if you don’t know what you have. Lastly, your supply chain also needs to be secure.


Below is quite a long list, yet ISO 27001 lists 118 controls that need to be in place, so these next 17 points are a bare minimum, really. Go through each point and check to make sure they are in place in your organisation

  1. Policies and procedures need to be in place, but they need to be practical, usable and appropriate – not just window dressing. This of course means they need to be implemented too. There’s nothing more pointless than a policy that says “We do X, Y and Z” when in reality you only sometimes do X, Y if you remember to, and Z never happens at all.
  2. Access control is one of the fundamentals of cyber security. You need a matrix or spreadsheet with everyone in the organisation listed in the first column, and all your information assets listed in the first line, with a clear Yes or No in the corresponding cell for each person/asset combination.
  3. Network access should be strictly controlled, allowing the minimum number of people, and giving them the minimum privileges required for their jobs. Two-factor authentication should be used wherever possible, especially for accounts with high privileges.
  4. Devices need to be strictly monitored and controlled. Only devices that are owned and managed by your organisation may be used for any high-level access, and third-party devices are allowed access to the network only after strict security checks are performed. You should regularly scan the network (physical and Wi-Fi) for rogue devices. Mobile devices should be remotely managed, with the ability to be remotely wiped if lost or stolen.
  5. Privileged users may not use their privileged accounts for day-to-day operations – they should have separate, low-privilege accounts for that and only access their privileged account when needed.
  6. External users who need privileged access should be issued with temporary, time-bound access rights.
  7. All user access to the network needs to be monitored and logged. Unauthorised users trying to access the network need to be flagged immediately and investigated.
  8. Data stored on your network needs to be protected against accidental or malicious deletion, modification and unauthorised access.
  9. Your data must classified and segregated according to sensitivity, and unneeded data deleted.
  10. All links that carry or transmit data (LAN, WAN, Internet, VPN, VLAN etc.) should be properly secured, both physically and by technical means, and suitable failover links need to be in place should the main links be compromised or disrupted in some way.
  11. All data storage must be secured physically and by technical means, and access and read/write privileges controlled. Data at rest must be encrypted according to industry best practise. All data should be securely backed up, and backups kept offline where possible.
  12. Data destruction and equipment sanitisation go hand-in-hand. Old devices need to be erased before being disposed of, and all data destruction (physical or electronic) needs to be done securely and according to industry best practice.
  13. ‘Secure by design’ is such a basic concept, that it has become a stipulation in the GDPR. Networks and system need to be simple enough to allow proper monitoring, segregated into zones, and securely configured. All changes should be documented and managed through a proper process.
  14. All system vulnerabilities need to be known and mitigated. Software should be patched regularly, and outdated systems and software promptly decommissioned.
  15. Business continuity and disaster recovery plans need to be in place. Failover systems should be regularly tested and improved.
  16. All staff must be trained on cyber security and how to handle security incidents. Individuals need to be trained on job-specific or department-specific criteria, and reporting problems or concerns should be encouraged and viewed in a positive light.
  17. All of the above needs to be regularly reviewed – at least biannually.

Monitoring & Detection

Monitoring is more important than what most people realise – prevention is better than cure, and early detection of system weaknesses or attempted intrusions can save you money, time and getting in trouble with the ICO for a data breach.

  1. Firstly, you need to understand two things, and very well: your own networks, and how cyber criminals would try and gain access.
  2. You need to have monitoring in place for known attack vectors, malicious commands, system abnormality and policy violations.
  3. Monitoring needs to be multi-layered.
  4. Security logs should be protected – both in function and the data contained within the log.
  5. Security alerts should be prioritised, and responded to accordingly.
  6. You need network-wide antivirus scanning and data loss prevention to be in place
  7. Security patches and updates should be applied within a reasonable time frame (usually 1 week – long enough for any glitches/problems with the patch to have surfaced and been rectified, but not so long as to leave a large window of opportunity for attackers).
  8. You should subscribe to threat intelligence services and get regular updates.
  9. Your monitoring staff need to have all the tools and authority they need to perform their duties, and have the flexibility to implement changes as new threats arise.

Minimising the impact

  1. You need a well-defined response plan, covering the complete life cycle of a security incident, roles and responsibilities, and impacts and mitigation strategies.
  2. Recovery depends on how good your response plan is, and how well and how quickly it was followed.
  3. Recovery also depends on how well your response team is trained and rehearsed.
  4. After both an incident or an exercise, it’s very import to do a case analysis. Search for root causes and use these to develop new strategies or improvements on existing ones.
  5. The findings and recommendations of the post-incident analysis should be presented to top management, thus going full circle with the cyber security cycle.

Cyber security has been one of the most neglected of all forms of health and safety. You can’t do plumbing or electrical work without proper training and certifications, yet IT infrastructure is still sometimes left to whoever happens to be on hand and “knows a bit about computers ‘n stuff”. Those days are gone, thanks to GDPR, but it’ s still early days and we all need to do our part in making the global neighbourhood a safer place.

Please visit for the full CAF, and see where you can make improvements in your organisation.