Phase 2: CAF-B

Securing against the latest, most sophisticated cyber threats.

CAF B1

Service Protection Policies, Processes, and Procedures

All aspects of physical and digital security and salient compliance obligations should be defined in a set of comprehensive security policies, with associated processes and procedures. This is often defined as a Security Management Plan, continuously reviewed and updated.

CAF B2

Identity | Access Control

Access to critical physical systems and data should be documented and managed. Users and automated functions verified, authenticated, and authorised. Zero-trust security principles and Multi-factor Authentication (MFA) should be implemented, and an allow list of users and their access maintained.

CAF B3

Security of Data

A definitive log of all data generated by physical and digital systems - including customer data - should be established, with rigorous standards in place around how it is managed, transferred, and stored, in line with all applicable regulations.

CAF B4

System Security

A review of system design should be conducted, ensuring a defence-in-depth approach to cyber security. This should demonstrate adequate consideration for segregation and zoning of systems, including their recovery and resilience. Likewise, evidence of secure configuration, the latest patches, and vulnerability management should be delivered.

CAF B5

Resilient Networks and Systems

The resilience of all systems and their underlying network should be subject to ongoing testing and review. This should include a robust DR plan, an awareness of the risks and methods of recovery, consideration for resilience in terms of segregation and controls, and evidence of secure validated backups.