In this case, decaf is not necessarily a good thing. The NCSC has just released the latest CAF (Cyber Assessment Framework) to help especially large organisations or ones that are considered critical in the national infrastructure (think health care, water, electricity etc.) or are directly involved in public cyber security, to check that their own house is in order.
For most other organisations, the CAF is not compulsory, but there are a few very important and useful things to learn from CAF 3.0, no matter who you are or the size of your organisation.
Here is a brief synopsis on how your organisation can benefit, and some simple things to implement to help you become more secure online.
Manage your security risks
Monitoring & Detection
Minimising the impact of an attack (because there will be one… sooner or later.)
Managing the risk
How does your organisation stack up against the next 4 points?
At board level, there needs to be a recognition, support and promotion of cyber security, so that effective organisation-wide practices can be put in place.
Roles and responsibilities need to be identified and assigned correctly.
A sensible risk-management process needs to be put in place, and security measures need to be checked and validated.
Asset management forms part of risk management – after all, you can’t really protect your assets if you don’t know what you have. Lastly, your supply chain also needs to be secure.
Below is quite a long list, yet ISO 27001 lists 118 controls that need to be in place, so these next 17 points are a bare minimum, really. Go through each point and check to make sure they are in place in your organisation
Policies and procedures need to be in place, but they need to be practical, usable and appropriate – not just window dressing. This of course means they need to be implemented too. There’s nothing more pointless than a policy that says “We do X, Y and Z” when in reality you only sometimes do X, Y if you remember to, and Z never happens at all.
Access control is one of the fundamentals of cyber security. You need a matrix or spreadsheet with everyone in the organisation listed in the first column, and all your information assets listed in the first line, with a clear Yes or No in the corresponding cell for each person/asset combination.
Network access should be strictly controlled, allowing the minimum number of people, and giving them the minimum privileges required for their jobs. Two-factor authentication should be used wherever possible, especially for accounts with high privileges.
Devices need to be strictly monitored and controlled. Only devices that are owned and managed by your organisation may be used for any high-level access, and third-party devices are allowed access to the network only after strict security checks are performed. You should regularly scan the network (physical and Wi-Fi) for rogue devices. Mobile devices should be remotely managed, with the ability to be remotely wiped if lost or stolen.
Privileged users may not use their privileged accounts for day-to-day operations – they should have separate, low-privilege accounts for that and only access their privileged account when needed.
External users who need privileged access should be issued with temporary, time-bound access rights.
All user access to the network needs to be monitored and logged. Unauthorised users trying to access the network need to be flagged immediately and investigated.
Data stored on your network needs to be protected against accidental or malicious deletion, modification and unauthorised access.
Your data must classified and segregated according to sensitivity, and unneeded data deleted.
All links that carry or transmit data (LAN, WAN, Internet, VPN, VLAN etc.) should be properly secured, both physically and by technical means, and suitable failover links need to be in place should the main links be compromised or disrupted in some way.
All data storage must be secured physically and by technical means, and access and read/write privileges controlled. Data at rest must be encrypted according to industry best practise. All data should be securely backed up, and backups kept offline where possible.
Data destruction and equipment sanitisation go hand-in-hand. Old devices need to be erased before being disposed of, and all data destruction (physical or electronic) needs to be done securely and according to industry best practice.
‘Secure by design’ is such a basic concept, that it has become a stipulation in the GDPR. Networks and system need to be simple enough to allow proper monitoring, segregated into zones, and securely configured. All changes should be documented and managed through a proper process.
All system vulnerabilities need to be known and mitigated. Software should be patched regularly, and outdated systems and software promptly decommissioned.
Business continuity and disaster recovery plans need to be in place. Failover systems should be regularly tested and improved.
All staff must be trained on cyber security and how to handle security incidents. Individuals need to be trained on job-specific or department-specific criteria, and reporting problems or concerns should be encouraged and viewed in a positive light.
All of the above needs to be regularly reviewed – at least biannually.
Monitoring & Detection
Monitoring is more important than what most people realise – prevention is better than cure, and early detection of system weaknesses or attempted intrusions can save you money, time and getting in trouble with the ICO for a data breach.
Firstly, you need to understand two things, and very well: your own networks, and how cyber criminals would try and gain access.
You need to have monitoring in place for known attack vectors, malicious commands, system abnormality and policy violations.
Monitoring needs to be multi-layered.
Security logs should be protected – both in function and the data contained within the log.
Security alerts should be prioritised, and responded to accordingly.
You need network-wide antivirus scanning and data loss prevention to be in place
Security patches and updates should be applied within a reasonable time frame (usually 1 week – long enough for any glitches/problems with the patch to have surfaced and been rectified, but not so long as to leave a large window of opportunity for attackers).
You should subscribe to threat intelligence services and get regular updates.
Your monitoring staff need to have all the tools and authority they need to perform their duties, and have the flexibility to implement changes as new threats arise.
Minimising the impact
You need a well-defined response plan, covering the complete life cycle of a security incident, roles and responsibilities, and impacts and mitigation strategies.
Recovery depends on how good your response plan is, and how well and how quickly it was followed.
Recovery also depends on how well your response team is trained and rehearsed.
After both an incident or an exercise, it’s very import to do a case analysis. Search for root causes and use these to develop new strategies or improvements on existing ones.
The findings and recommendations of the post-incident analysis should be presented to top management, thus going full circle with the cyber security cycle.
Cyber security has been one of the most neglected of all forms of health and safety. You can’t do plumbing or electrical work without proper training and certifications, yet IT infrastructure is still sometimes left to whoever happens to be on hand and “knows a bit about computers ‘n stuff”. Those days are gone, thanks to GDPR, but it’ s still early days and we all need to do our part in making the global neighbourhood a safer place.
We’re using cookies to give you the best experience on our website.
You can find out more about which cookies we use, or switch them off by clicking ‘More Information’. Here, you’ll also find links to our Privacy and Cookie Policies, which explain how we process your personal data.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This site uses Google Analytics and Google Tag Manager which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics and Google Tag Manager cookies, see the official Google Analytics / Tag Manager page.
From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.
The Google AdSense service we use to serve to advertise uses a DoubleClick cookie to serve more relevant ads across the web and limit the number of times that a given ad is shown to you. For more information on Google AdSense see the official Google AdSense privacy FAQ. Several partners advertise on our behalf and affiliate tracking cookies simply allow us to see if our customers have come to the site through one of our partner sites so that we can credit them appropriately and where applicable allow our affiliate partners to provide any bonus that they may provide you for making a purchase. Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!