Phase 3: CAF-C

Best-in-class systems and processes for detecting security events.

CAF C1

Security Monitoring

On the basis that cyber-attacks are inevitable, there should be adequate knowledge, resources, and investment in tools to ensure effective 24 / 7 threat detection and vulnerability management of critical systems. This should be backed up with current threat intelligence, systems, processes, and controls that ensure security events are proactively identified, prioritised, and resolved. These methods and systems need to be secure, with the service desk and resolver teams appropriately vetted, their access to critical systems authenticated, and the use of sensitive data tightly controlled.

CAF C2

Threat Hunting

The sophistication of cyber-attacks within the CNI verticals is moderate to high. As a result, consideration needs to be given to iterative and human-centric identification of cyber threats that will likely evade existing security tools and controls. Efforts should match the risk and consequence of a successful cyber-attack on the organisation’s critical systems.

CAF B3

Security of Data

A definitive log of all data generated by physical and digital systems - including customer data - should be established, with rigorous standards in place around how it is managed, transferred, and stored, in line with all applicable regulations.

CAF B4

System Security

A review of system design should be conducted, ensuring a defence-in-depth approach to cyber security. This should demonstrate adequate consideration for segregation and zoning of systems, including their recovery and resilience. Likewise, evidence of secure configuration, the latest patches, and vulnerability management should be delivered.

CAF B5

Resilient Networks and Systems

The resilience of all systems and their underlying network should be subject to ongoing testing and review. This should include a robust DR plan, an awareness of the risks and methods of recovery, consideration for resilience in terms of segregation and controls, and evidence of secure validated backups.