Cyber Assessment Framework
What Is The CAF?
The National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) provides guidance for organisations responsible for delivering vitally important services and activities.
The framework consists of a set of 14 cyber security and resilience principles, together with guidance on using and applying the principles.
It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience.
The principles define a set of top-level outcomes that, collectively, describes good cyber security for organisations performing essential functions. Each principle is accompanied by a narrative and guidance for achieving the outcome and recommends some ways to tackle common cyber security challenges.
Principles And Guidance
The NCSC intends for the principles and guidance to be used in the following way:
Understand the principles, why they are essential, and interpret them for the organisation.
Identify shortcomings and understand the seriousness of the shortcomings using organisational context and prioritise.
The Four Objectives
The CAF is centred on four objectives, each of which has several principles and guidance associated with them.
Managing cyber security risk
Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions. This objective covers the principles of:
Detecting Cyber Security Events
Capabilities exist to ensure security defences remain effective in detecting cyber security events affecting or potentially affecting essential functions. This objective covers the principles of:
- Security monitoring – monitoring is in place to detect security issues and track whether existing security measures are effective
- Proactive security event discovery – detecting cyber security events
Minimising the Impact of Cyber Security Incidents
Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including restoring those functions where necessary. This objective covers the principles of:
- Response and recovery planning – putting suitable incident management and mitigation processes in place.
- Lessons learned – learning from incidents and implementing lessons to improve the resilience of essential functions.
Protecting Against Cyber Attack Objectives
Defining and communicating appropriate policies to secure systems and data.
Managing access to networks and information systems.
Protecting data stored, processed, or transmitted electronically from actions that may have an adverse impact.
Protecting critical systems from cyber-attack.
Building resilient networks and systems that protect and defend against a cyber attack.
Supporting staff to understand their role and contribute to the cyber security of essential functions.
How We Support You
Our team of highly qualified and experienced consultants will work with you to assess your level of compliance. We’ll then identify any areas for development and create a plan to get you where you need to be.
We provide practical assistance and recommendations to ensure your Cyber Security Management System meets your business requirements.
Whatever your security needs, CyberWhite will apply our wealth of knowledge to your organisation, designing solutions catered to your specific requirements and risk appetite.
Please complete the form below to find out more.
What Our Clients Say
“CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”
“I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”
“As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”
