Secure by Design Example Controls Taxonomy
There are a range of industry standard frameworks you can use to mitigate digital service risks.
This page shows the objectives, principles, contributing outcomes and indicators of good practice (IGPs) from the National Cyber Security Centre’s (NCSC)’s Cyber Assessment Framework (CAF) version 3.2.
Listed under each CAF contributing outcome are cyber security and privacy controls from the following frameworks:
Download the information on this page as a spreadsheet
Your organisation's security experts can adapt this template to suit the scope, characteristics and regulatory requirements of your digital service.
CAF objective A: Managing security risk
CAF principle A1: Governance
IGP: You have effective organisational security management led at board level and articulated clearly in corresponding policies, based on timely and accurate information and informed by expert guidance.
Board decisions are put into practice through organisational procedures that control essential function network and information system security.
NIST SP800-53
- PM-11: Mission and business process definition
- SC-1: Policy and procedures
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 14.1: Establish and maintain a security awareness programme
- 14.2: Train workforce members to recognise social engineering attacks
- 14.6: Train workforce members on recognising and reporting security incidents
OWASP 2021
- A03:2021: Injection
- A05:2021: Security misconfiguration
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5: Information security policies
- A.6: Organisation of information security
IGP: Your organisation has established key roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks. These are reviewed regularly to ensure they remain fit for purpose.
NIST SP800-53
- PM-1: Information security programme plan
- PS-9: Position description
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 14.1: Establish and maintain a security awareness programme
- 14.9: Conduct role-specific security awareness and skills training
- 15.4: Ensure service provider contracts include security requirements
- 16.9: Train developers in application security concepts and secure coding
- 17.1: Designate personnel to manage incident handling
- 17.2: Establish and maintain contact information for reporting security incidents
- 17.4: Establish and maintain an incident response process
- 17.5: Assign key roles and responsibilities
OWASP 2021
OWASP 2021
- A03:2021: Injection
- A05:2021: Security misconfiguration
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5: Information security policies
- A.6: Organisation of information security
IGP: Senior management have visibility of key risk decisions made throughout the organisation.
Risk management decision-makers understand their responsibilities for making effective and timely decisions in the context of the risk appetite regarding the essential function(s), as set by senior management.
Risk management decision-making is delegated and escalated where necessary, across the organisation, to people who have the skills, knowledge, tools and authority they need.
Risk management decisions are regularly reviewed to ensure their continued relevance and validity.
NIST SP800-53
PM-10: Authorisation process
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 17.1: Designate personnel to manage incident handling
- 17.4: Establish and maintain an incident response process
OWASP 2021
- A05:2021: Security misconfiguration
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5: Information security policies
- A.6: Organisation of information security
CAF principle A2: Risk management
IGP: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
The effectiveness of the risk management process is reviewed regularly, and improvements made as required.
Department performs detailed threat analysis and understands how this applies to your organisation in the context of the threat to your sector and the wider Critical National Infrastructure (CNI).
NIST SP800-53
RA-1: Risk management
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 7: Secure development
CIS-18
- 3.7: Establish and maintain a data classification scheme
- 7.2: Establish and maintain a remediation process
- 7.4: Perform automated application patch management
- 7.6: Perform automated vulnerability scans of externally-exposed enterprise assets
- 15.4: Ensure service provider contracts include security requirements
- 15.5: Assess service providers
OWASP 2021
- A02:2021: Cryptographic failures
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
ISO27001
- A.6: Organisation of information security
- A.15: Supplier relationships
IGP: Your organisation validates the effectiveness of security measures for network and information systems throughout their life cycle. Organisation understands and choose appropriate assurance methods to gain confidence in the security of essential functions.
The organisation’s confidence in security, across technology, people and processes can be justified and verified by a third party. Security deficiencies from assurance activities are assessed, prioritised, and remedied promptly and effectively. Assurance methods are regularly reviewed for effectiveness and appropriateness
NIST SP800-53
- PM-4: Plan of action and milestones process
- RA-7: Risk response
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 7: Secure development
CIS-18
15.5: Assess service providers
OWASP 2021
- A02:2021: Cryptographic failures
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
ISO27001
- A.6: Organisation of information security
- A.15: Supplier relationships
CAF principle A3: Asset management
IGP: All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date.
Dependencies on supporting infrastructure (for example, power, cooling and so on) are recognised and recorded.
Organisation has prioritised the assets according to their importance to the operation of the essential function(s).
Organisation has assigned responsibility for managing all assets, including physical assets, relevant to the operation of the essential function(s).
Assets relevant to the essential function(s) are managed with cyber security in mind throughout their life cycle, from creation through to eventual decommissioning or disposal.
NIST SP800-53
- CM-8: System component inventory
- PM-5: System inventory
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 1.1: Establish and maintain detailed asset inventory
- 1.3: Utilise an active discovery tool
- 1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
- 1.5: Use a passive asset discovery tool
- 2.1: Establish and maintain a software inventory
- 2.2: Ensure authorised software is currently supported
- 2.3: Address unauthorised software
- 2.4: Utilise automated software inventory tools
- 2.5: Allowlist authorised software
- 2.6: Allowlist authorised libraries
- 3.2: Establish and maintain a data inventory
- 3.5: Securely dispose of data
- 3.7: Establish and maintain a data classification scheme
- 3.8: Document data flows
- 7.1: Establish and maintain a vulnerability management process
- 7.2: Establish and maintain a remediation process
- 7.4: Perform automated application patch management
- 9.6: Block unnecessary file types
- 12.4: Establish and maintain architecture diagram(s)
- 13.5: Manage access control for remote assets
- 16.4: Establish and manage an inventory of third-party software components
OWASP 2021
- A03:2021: Injection
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
ISO27001
- A.8.1.1: Inventory of assets
- A.8.1.2: Ownership of assets
- A.8.1.3: Acceptable use of assets
- A.8.1.4: Responsibility for assets
- A.8.1.5: Information classification
- A.8.1.6: Media handling
CAF principle A4: Supply chain
IGP: The organisation has a deep understanding of your supply chain, including sub-contractors and the wider risks it faces.
Organisation considers factors such as supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract. This informs your risk assessment and procurement processes.
Organisation’s approach to supply chain risk management considers the risks to your essential function(s) arising from supply chain subversion by capable and well-resourced attackers.
Organisation has confidence that information shared with suppliers which is essential to the operation of your function(s) is appropriately protected from sophisticated attacks.
Organisation understands which contracts are relevant and includes appropriate security obligations in relevant contracts. Organisation has a proactive approach to contract management which may include a contract management plan for relevant contracts.
Customer / supplier ownership of responsibilities are laid out in contracts.
All network connections and data sharing with third parties are managed effectively and proportionately.
When appropriate, your incident management process and that of your suppliers provide mutual support in the resolution of incidents.
NIST SP800-53
- PM-30: Supply chain risk management strategy
- SR-2: Supply chain risk management plan
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 8: Supply chain security
CIS-18
- 15.1: Establish and maintain an inventory of service providers
- 15.2: Establish and maintain a service provider management policy
- 15.3: Classify service providers
- 15.4: Ensure service provider contracts include security requirements
- 15.5: Assess service providers
- 15.6: Monitor service providers
- 15.7: Securely decommission service providers
- 17.4: Establish and maintain an incident response process
OWASP 2021
ISO27001
A.15: Supplier relationships
CAF objective B: Protecting against cyber attacks
CAF principle B1: Service protection policies and processes
IGP: Organisation fully documents overarching security governance and risk management approach, technical security practice and specific regulatory compliance. Cyber security is integrated and embedded throughout policies, processes and procedures and key performance indicators are reported to your executive management.
Organisation’s policies, processes and procedures are developed to be practical, usable and appropriate for your essential function(s) and your technologies.
Policies, processes and procedures that rely on user behaviour are practical, appropriate and achievable.
Organisation reviews and updates policies, processes and procedures at suitably regular intervals to ensure they remain relevant. This is in addition to reviews following a major cyber security incident.
Any changes to the essential function(s) or the threat it faces triggers a review of policies, processes and procedures.
Systems are designed so that they remain secure even when user security policies, processes and procedures are not always followed.
NIST SP800-53
- AC-1
- AT-1
- AU-1
- CA-1
- CM-1
- CP-1
- IA-1
- IR-1
- MA-1
- MP-1
- PE-1
- PL-1
- PS-1
- RA-1
- SA-1
- SC-1
- SI-1: Policy and procedures
- PM-1: Information security programme plan
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 1.1: Establish and maintain detailed asset inventory
- 2.1: Establish and maintain a software inventory
- 3.2: Establish and maintain a data inventory
- 3.5: Securely dispose of data
- 3.7: Establish and maintain a data classification scheme
- 4.1: Establish and maintain a secure configuration process
- 7.1: Establish and maintain a vulnerability management process
- 7.2: Establish and maintain a remediation process
- 7.4: Perform automated application patch management
- 15.2: Establish and maintain a service provider management policy
- 16.1: Establish and maintain a secure application development process
- 16.4: Establish and manage an inventory of third-party software components
- 17.4: Establish and maintain an incident response process
- 18.1: Establish and maintain a penetration testing programme
OWASP 2021
A05:2021: Security misconfiguration
ISO27001
- A.5.1: Policies for information security
- A.5.2: Information security roles and responsibilities
- A.5.3: Segregation of duties
- A.5.1: Policies for information security (includes review and update requirements)
- A.5.4: Management responsibilities
- A.5.23: Information security for use of cloud services
- A.6.1: Roles and responsibilities
- A.6.2: Information security in project management
IGP: All policies, processes and procedures are followed, their correct application and security effectiveness is evaluated.
Policies, processes and procedures are integrated with other organisational policies, processes and procedures, including HR assessments of individuals’ trustworthiness.
Policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities.
Appropriate action is taken to address all breaches of policies, processes and procedures with potential to adversely impact the essential function(s) including aggregated breaches.
NIST SP800-53
- PL-01
- PM-01
- PM-09
- RA-01
- CA-01
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 1.1: Establish and maintain detailed asset inventory
- 2.1: Establish and maintain a software inventory
- 2.2: Ensure authorised software is currently supported
- 3.1: Establish and maintain a data management process
- 3.2: Establish and maintain a data inventory
- 3.5: Securely dispose of data
- 3.7: Establish and maintain a data classification scheme
- 8.2: Collect audit logs
- 8.11: Conduct audit log reviews
- 10.3: Disable autorun and autoplay for removable media
- 16.4: Establish and manage an inventory of third-party software components
- 16.8: Separate production and non-production systems
OWASP 2021
A05:2021: Security misconfiguration
ISO27001
- A.5.1: Policies for information security
- A.5.4: Management responsibilities
- A.6.3: Contact with authorities
- A.6.4: Contact with special interest groups
- A.6.5: Information security awareness, education and training
- A.5.23: Information security for use of cloud services
- A.5.24: Information security incident management planning and preparation
- A.5.26: Response to information security incidents
- A.8.16: Monitoring activities
- A.6.1: Roles and responsibilities
- A.6.2: Information security in project management
CAF principle B2: Identity and access control
IGP: The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to network and information systems that support your essential function(s).
Only authorised and individually authenticated users can physically access and logically connect to your network or information systems on which your essential function(s) depends.
The number of authorised users and systems that have access to all your network and information systems supporting the essential function(s) is limited to the minimum necessary.
Organisation uses additional authentication mechanisms, such as multi-factor (MFA), for all user access, including remote access, to all network and information systems that operate or support your essential function(s).
The list of users and systems with access to network and information systems supporting and delivering the essential function(s) is reviewed on a regular basis, at least every six months.
Your approach to authenticating users, devices and systems follows up to date best practice
NIST SP800-53
- IA-11: Re-authentication
- IA-2: Identification and authentication (organisational users)
- IA-4: Identifier management
- IA-5: Authenticator management
- IA-7: Cryptographic module authentication
- IA-8: Identification and authentication (non-organisational users)
- IA-9: Service identification and authentication
NCSC: 10 Steps to Cyber Security
Identity and access management
NCSC: Cloud Security Principles
Principle 10: Identity and authentication
CIS-18
- 1.2: Address unauthorised assets
- 1.3: Utilise an active discovery tool
- 1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
- 1.5: Use a passive asset discovery tool
- 2.5: Allowlist authorised software
- 2.6: Allowlist authorised libraries
- 3.3: Configure data access control lists
- 4.7: Manage default accounts on enterprise assets and software
- 5.1: Establish and maintain an inventory of accounts
- 5.2: Use unique passwords
- 5.3: Disable dormant accounts
- 5.4: Restrict administrator privileges to dedicated administrator accounts
- 5.5: Establish and maintain an inventory of service accounts
- 6.1: Establish an access granting process
- 6.2: Establish an access revoking process
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 6.6: Establish and maintain an inventory of authentication and authorisation systems
- 6.7: Centralised access control
- 6.8: Define and maintain role-based access control
- 9.6: Block unnecessary file types
- 12.3: Securely manage network infrastructure
- 12.6: Use of secure network management and communication protocols
- 12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
- 13.5: Manage access control for remote assets
- 13.9: Deploy port-level access control
- 15.7: Securely decommission service providers
OWASP 2021
- A07:2021: Identification and authentication failures
- A01:2021: Broken access control
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.9.1.1: Access to networks and network services
- A.9.2.1: User access management
- A.9.2.2: Use of privileged utility programs
- A.9.2.3: User responsibilities
- A.9.2.4: System access control
- A.9.2.5: User password management
- A.9.2.6: Review of user access rights
- A.9.2.7: Removal or adjustment of access rights
- A.9.3.1: Use of cryptographic controls
IGP: All privileged operations performed on your network and information systems supporting your essential function(s) are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.
Organisation either obtains independent and professional assurance of the security of third-party devices or networks before they connect to your network and information systems, or you only allow third-party devices or networks that are dedicated to supporting your network and information systems to connect.
The organisation performs certificate-based device identity management and only allows known devices to access systems necessary for the operation of your essential function(s).
Organisation performs regular scans to detect unknown devices and investigate any findings.
NIST SP800-53
- AC-11: Device lock
- AC-19: Access control for mobile devices
- IA-3: Device identification and authentication
- MA-2: Controlled maintenance
- MA-6: Timely maintenance
- SI-7: Software, firmware, and information integrity
NCSC: 10 Steps to Cyber Security
Identity and access management
NCSC: Cloud Security Principles
Principle 10: Identity and authentication
CIS-18
- 1.1: Establish and maintain detailed asset inventory
- 5.2: Use unique passwords
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 9.7: Deploy and maintain email server anti-malware protections
- 10.1: Deploy and maintain anti-malware software
- 10.2: Configure automatic anti-malware signature updates
- 10.4: Configure automatic anti-malware scanning of removable media
- 10.5: Enable anti-exploitation features
- 10.6: Centrally manage anti-malware software
- 10.7: Use behaviour-based anti-malware software
- 12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
- 13.5: Manage access control for remote assets
OWASP 2021
- A07:2021: Identification and authentication failures
- A01:2021: Broken access control
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.9.1.1: Access to networks and network services
- A.9.2.1: User access management
- A.9.2.2: Use of privileged utility programs
- A.9.2.3: User responsibilities
- A.9.2.4: System access control
- A.9.2.5: User password management
- A.9.2.6: Review of user access rights
- A.9.2.7: Removal or adjustment of access rights
- A.9.3.1: Use of cryptographic controls
IGP: Privileged user access to your essential function(s) systems is carried out from dedicated separate accounts that are closely monitored and managed.
The issuing of temporary, time-bound rights for privileged user access and / or external third-party support access is in place.
Privileged user access rights are regularly reviewed and always updated as part of your joiners, movers and leavers process.
All privileged user activity is routinely reviewed, validated and recorded for offline analysis and investigation.
NIST SP800-53
- AC-17(4): Remote access | Privileged commands and access
- AT-3: Role-based training
- IA-2(1): Identification and authentication (organisational users) | Multi-factor authentication to privileged accounts
NCSC: 10 Steps to Cyber Security
Identity and access management
NCSC: Cloud Security Principles
Principle 10: Identity and authentication
CIS-18
- 5.2: Use unique passwords
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 14.9: Conduct role-specific security awareness and skills training
- 16.9: Train developers in application security concepts and secure coding
OWASP 2021
- A01:2021: Broken access control
- A05:2021: Security misconfiguration
- A09:2021: Security logging and monitoring failures
- A07:2021: Identification and authentication failures
ISO27001
- A.5.15: Access control
- A.5.16: Identity management
- A.5.17: Authentication information
- A.5.18: Access rights
- A.8.16: Monitoring activities
- A.5.25: Assessment and decision on information security events
- A.5.19: Access rights review
- A.5.20: Removal or adjustment of access rights
- A.7.10: Equipment maintenance
- A.7.11: Secure disposal or re-use of equipment
IGP: Organisation follows a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited.
User access rights are reviewed both when people change roles via your joiners, leavers and movers process and at regular intervals – at least annually.
All user, device and systems access to the systems supporting the essential function(s) is logged and monitored.
Organisation regularly reviews access logs and correlate this data with other access records and expected activity.
Attempts by unauthorised users, devices or systems to connect to the systems supporting the essential function(s) are alerted, promptly assessed and investigated.
NIST SP800-53
- AC-10: Concurrent session control
- AC-12: Session termination
- AC-13: Supervision and review – access control
- AC-14: Permitted actions without identification or authentication
- AC-16: Security and privacy attributes
- AC-17: Remote access
- AC-18: Wireless access
- AC-18(1): Wireless access | Authentication and encryption
- AC-19: Access control for mobile devices
- AC-2: Account management
- AC-20: Use of external systems
- AC-20(1): Use of external systems | Limits on authorised use
- AC-21: Information sharing
- AC-22: Publicly accessible content
- AC-23: Data mining protection
- AC-24: Access control decisions
- AC-24(1): Access control decisions | Transmit access authorisation information
- AC-25: Reference monitor
- AC-3: Access enforcement
- AC-4: Information flow enforcement
- AC-5: Separation of duties
- AC-6: Least privilege
- AC-7: Unsuccessful logon attempts
- AC-8: System use notification
- AC-9: Previous logon notification
- PS-4: Personnel termination
- PS-5: Personnel transfer
- PS-7: External personnel security
NCSC: 10 Steps to Cyber Security
Identity and access management
NCSC: Cloud Security Principles
Principle 6: Personnel security
CIS-18
- 4.11: Enforce remote wipe capability on portable end-user devices
- 5.2: Use unique passwords
- 5.6: Centralised account management
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 6.6: Establish and maintain an inventory of authentication and authorisation systems
- 12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
- 13.5: Manage access control for remote assets
OWASP 2021
- A07:2021: Identification and authentication failures
- A01:2021: Broken access control
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5.16: Identity management
- A.5.17: Authentication information
- A.5.15: Access control
- A.5.18: Access rights
- A.5.19: Access rights review
- A.5.20: Removal or adjustment of access rights
- A.5.17: Authentication information
- A.5.21: Secure log-on procedures
- A.5.1: Policies for information security
- A.8.16: Monitoring activities
- A.5.26: Response to information security incidents
CAF principle B3: Data security
IGP: Organisation has identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker.
Organisation has identified and catalogued who has access to the data important to the operation of the essential function(s).
Organisation maintains a current understanding of the location, quantity and quality of data important to the operation of the essential function(s).
Organisation takes steps to remove or minimise unnecessary copies or unneeded historic data.
Organisation has identified all mobile devices and media that may hold data important to the operation of the essential function(s).
Organisation maintains a current understanding of the data links used to transmit data that is important to your essential function(s).
Organisation understands the context, limitations and dependencies of your important data.
Organisation understands and documents the impact on your essential function(s) of all relevant scenarios, including unauthorised data access, modification or deletion, or when authorised users are unable to appropriately access this data.
Organisation validates these documented impact statements regularly, at least annually.
NIST SP800-53
- AC-23: Data mining protection
- CA-3: Information exchange
- CM-13: Data action mapping
- PL-8: Security and privacy architectures
- PT-2: Authority to process personally identifiable information
- PT-3: Personally identifiable information processing purposes
- SI-12: Information management and retention
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 3.1: Establish and maintain a data management process
- 3.2: Establish and maintain a data inventory
- 3.7: Establish and maintain a data classification scheme
- 3.8: Document data flows
OWASP 2021
- A02:2021: Cryptographic failures
- A05:2021: Security misconfiguration
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.8.2: Information classification
- A.11.2: Cryptographic protection of information
- A.13.1: Network security management
- A.13.2: Information transfer
IGP: The organisation has identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s).
Apply appropriate physical and/or technical means to protect data that travels over non-trusted or openly accessible carriers, with justified confidence in the robustness of the protection applied.
Suitable alternative transmission paths are available where there is a significant risk of impact on the operation of the essential function(s) due to resource limitation (for example, transmission equipment or function failure, or important data being blocked or jammed).
NIST SP800-53
- SC-10: Network disconnect
- SC-11: Trusted path
- SC-8: Transmission confidentiality and integrity
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 1: Data in transit protection
CIS-18
- 3.10: Encrypt sensitive data in transit
- 12.2: Establish and maintain a secure network architecture
- 12.3: Securely manage network infrastructure
- 12.6: Use of secure network management and communication protocols
- 13.4: Perform traffic filtering between network segments
OWASP 2021
- A02:2021: Cryptographic failures
- A05:2021: Security misconfiguration
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.8.2: Information classification
- A.11.2: Cryptographic protection of information
- A.13.1: Network security management
- A.13.2: Information transfer
IGP: All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy.
The organisation has applied suitable physical and / or technical means to protect this important stored data from unauthorised access, modification or deletion.
If cryptographic protections are used you apply suitable technical and procedural means, and you have justified confidence in the robustness of the protection applied.
The organisation has suitable, secured backups of data to allow the operation of the essential function(s) to continue should the original data not be available. This may include off-line or segregated backups, or appropriate alternative forms such as paper copies.
Necessary historic or archive data is suitably secured in storage.
NIST SP800-53
- MP-2: Media access
- MP-3: Media marking
- MP-4: Media storage
- MP-5: Media transport
- MP-6: Media sanitisation
- MP-7: Media use
- MP-8: Media downgrading
- SC-28: Protection of information at rest
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 3.2: Establish and maintain a data inventory
- 3.4: Enforce data retention
- 3.7: Establish and maintain a data classification scheme
- 3.11: Encrypt sensitive data at rest
- 3.12: Segment data processing and storage based on sensitivity
- 3.13: Deploy a data loss prevention solution
OWASP 2021
- A02:2021: Cryptographic failures
- A05:2021: Security misconfiguration
- A03:2021: Injection
- A09:2021: Security logging and monitoring failures
ISO27001
- A.8.2: Information classification
- A.11.2: Cryptographic protection of information
- A.13.1: Network security management
- A.13.2: Information transfer
IGP: Mobile devices that hold data that is important to the operation of the essential function(s) are catalogued, are under your organisation’s control and configured according to best practice for the platform, with appropriate technical and procedural policies in place.
Your organisation can remotely wipe all mobile devices holding data important to the operation of the essential function(s).
You have minimised this data on these mobile devices. Some data may be automatically deleted off mobile devices after a certain period.
NIST SP800-53
- AC-19: Access control for mobile devices
- AC-19(5): Access control for mobile devices | Full device or container-based encryption
- AC-7(2): Unsuccessful logon attempts | Purge or wipe mobile device
- MP-2: Media access
- MP-3: Media marking
- MP-4: Media storage
- MP-5: Media transport
- MP-6(8): Media sanitisation | Remote purging or wiping of information
- MP-7: Media use
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 1.1: Establish and maintain detailed asset inventory
- 3.4: Enforce data retention
- 3.5: Securely dispose of data
- 3.9: Encrypt data on removable media
- 4.10: Enforce automatic device lockout on portable end-user devices
- 4.11: Enforce remote wipe capability on portable end-user devices
- 4.12: Separate enterprise workspaces on mobile end-user devices
OWASP 2021
- A02:2021: Cryptographic failures
- A01:2021: Broken access control
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
- A09:2021: Security logging and monitoring failures
ISO27001
- A.8.10: Information deletion
- A.8.11: Data masking
- A.8.12: Data leakage prevention
- A.5.15: Access control
- A.5.16: Identity management
- A.5.17: Authentication information
- A.5.1: Policies for information security
- A.6.2: Information security in project management
- A.5.4: Management responsibilities
- A.5.9: Inventory of information and other associated assets
- A.5.23: Information security for use of cloud services
- A.5.24: Information security incident management planning and preparation
IGP: You catalogue and track all devices that contain data important to the operation of the essential function(s) (whether a specific storage device or one with integral storage).
Data important to the operation of the essential function(s) is removed from all devices, equipment and removable media before reuse and / or disposal using an assured product or service.
NIST SP800-53
MP-6: Media sanitisation
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
3.5: Securely dispose of data
OWASP 2021
- A02:2021: Cryptographic failures
- A01:2021: Broken access control
- A09:2021: Security logging and monitoring failures
- A05:2021: Security misconfiguration
ISO27001
- A.8.10: Information deletion
- A.7.10: Equipment maintenance
- A.7.11: Secure disposal or re-use of equipment
- A.5.12: Classification of information
- A.5.13: Labelling of information
- A.6.1: Roles and responsibilities
- A.5.4: Management responsibilities
- A.5.1: Policies for information security
- A.5.26: Response to information security incidents
- A.5.29: Supplier relationships
- A.5.30: Collection of evidence
CAF principle B4: System security
IGP: You employ appropriate expertise to design network and information systems.
Your network and information systems are segregated into appropriate security zones (for example, systems supporting the essential function(s) are segregated in a highly trusted, more secure zone).
The network and information systems supporting your essential function(s) are designed to have simple data flows between components to support effective security monitoring.
The network and information systems supporting your essential function(s) are designed to be easy to recover.
Content-based attacks are mitigated for all inputs to network and information systems that affect the essential function(s) (for example, via transformation and inspection).
NIST SP800-53
- CA-2: Control assessments
- CA-5: Plan of action and milestones
- CA-7: Continuous monitoring
- CA-8: Penetration testing
- CA-9: Internal system connections
- CM-7: Least functionality
- IA-10: Adaptive authentication
- IA-12: Identity proofing
- IA-8: Identification and authentication (non-organisational users)
- MP-2: Media access
- SA-10: Developer configuration management
- SA-11: Developer testing and evaluation
- SA-15: Development process, standards, and tools
- SA-16: Developer-provided training
- SA-17: Developer security and privacy architecture and design
- SA-22: Unsupported system components
- SA-3: System development life cycle
- SA-4: Acquisition process
- SA-8: Security and privacy engineering principles
- SA-9: External system services
- SC-10: Network disconnect
- SC-12: Cryptographic key establishment and management
- SC-17: Public key infrastructure certificates
- SC-18: Mobile code
- SC-3: Security function isolation
- SC-32: System partitioning
- SC-4: Information in shared system resources
- SC-5: Denial-of-service protection
- SC-8: Transmission confidentiality and integrity
- SI-10: Information input validation
- SI-10: Information input validation
- SI-16: Memory protection
- SI-17: Fail-safe procedures
- SI-7: Software, firmware, and information integrity
NCSC: 10 Steps to Cyber Security
Architecture and configuration
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 2.7: Allowlist authorised scripts
- 3.9: Encrypt data on removable media
- 3.10: Encrypt sensitive data in transit
- 3.11: Encrypt sensitive data at rest
- 3.12: Segment data processing and storage based on sensitivity
- 3.13: Deploy a data loss prevention solution
- 4.1: Establish and maintain a secure configuration process
- 4.2: Establish and maintain a secure configuration process for network infrastructure
- 4.3: Configure automatic session locking on enterprise assets
- 4.4: Implement and manage a firewall on servers
- 5.2: Use unique passwords
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 7.4: Perform automated application patch management
- 9.1: Ensure use of only fully supported browsers and email clients
- 9.2: Use DNS filtering services
- 9.3: Maintain and enforce network-based URL filters
- 9.4: Restrict unnecessary or unauthorised browser and email client extensions
- 9.6: Block unnecessary file types
- 10.3: Disable autorun and autoplay for removable media
- 12.2: Establish and maintain a secure network architecture
- 12.3: Securely manage network infrastructure
- 12.6: Use of secure network management and communication protocols
- 12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
- 12.8: Establish and maintain dedicated computing resources for all administrative work
- 13.2: Deploy a host-based intrusion detection solution
- 13.3: Deploy a network intrusion detection solution
- 13.4: Perform traffic filtering between network segments
- 13.5: Manage access control for remote assets
- 13.6: Collect network traffic flow logs
- 13.7: Deploy a host-based intrusion prevention solution
- 13.8: Deploy a network intrusion prevention solution
- 13.10: Perform application layer filtering
- 16.1: Establish and maintain a secure application development process
- 16.7: Use standard hardening configuration templates for application infrastructure
- 16.8: Separate production and non-production systems
- 16.11: Leverage vetted modules or services for application security components
- 16.14: Conduct threat modelling
- 18.3: Remediate penetration test findings
- 18.4: Validate security measures
OWASP 2021
- A04:2021: Insecure design
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
ISO27001
- A.13.1: Network security management
- A.14: System acquisition, development and maintenance
IGP: You have identified, documented and actively manage (for example, maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function(s).
All platforms conform to your secure, defined baseline build, or the latest known good configuration version for that environment.
You closely and effectively manage changes in your environment, ensuring that network and system configurations are secure and documented.
You regularly review and validate that your network and information systems have the expected, secure settings and configuration.
Only permitted software can be installed.
Standard users are not able to change settings that would impact security or the business operation.
If automated decision-making technologies are in use, their operation is well understood, and decisions can be replicated.
Generic, shared, default name and built-in accounts have been removed or disabled. Where this is not possible, credentials to these accounts have been changed.
NIST SP800-53
- CM-11: User-installed software
- CM-14: Signed components
- CM-2: Baseline configuration
- CM-3: Configuration change control
- CM-6: Configuration settings
- CM-9: Configuration management plan
- SA-10: Developer configuration management
- SC-7(19): Boundary protection | Block communication from non-organisationally configured hosts
- SI-3: Malicious code protection
- SI-8: Spam protection
NCSC: 10 Steps to Cyber Security
Architecture and configuration
NCSC: Cloud Security Principles
Principle 11: External interface protection
CIS-18
- 2.5: Allowlist authorised software
- 2.7: Allowlist authorised scripts
- 3.12: Segment data processing and storage based on sensitivity
- 3.13: Deploy a data loss prevention solution
- 4.1: Establish and maintain a secure configuration process
- 4.2: Establish and maintain a secure configuration process for network infrastructure
- 4.3: Configure automatic session locking on enterprise assets
- 4.8: Uninstall or disable unnecessary services on enterprise assets and software
- 5.2: Use unique passwords
- 6.3: Require MFA for externally-exposed applications
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 7.5: Perform automated vulnerability scans of internal enterprise assets
- 8.4: Standardise time synchronisation
- 8.5: Collect detailed audit logs
- 8.6: Collect DNS query audit logs
- 8.7: Collect URL request audit logs
- 8.8: Collect command-line audit logs
- 9.1: Ensure use of only fully supported browsers and email clients
- 9.2: Use DNS filtering services
- 9.3: Maintain and enforce network-based URL filters
- 9.4: Restrict unnecessary or unauthorised browser and email client extensions
- 9.6: Block unnecessary file types
- 9.7: Deploy and maintain email server anti-malware protections
- 10.1: Deploy and maintain anti-malware software
- 10.2: Configure automatic anti-malware signature updates
- 10.3: Disable autorun and autoplay for removable media
- 10.4: Configure automatic anti-malware scanning of removable media
- 10.5: Enable anti-exploitation features
- 10.6: Centrally manage anti-malware software
- 10.7: Use behaviour-based anti-malware software
- 12.2: Establish and maintain a secure network architecture
- 12.3: Securely manage network infrastructure
- 12.6: Use of secure network management and communication protocols
- 12.7: Ensure remote devices utilise a VPN and are connecting to an enterprise AAA infrastructure
- 12.8: Establish and maintain dedicated computing resources for all administrative work
- 13.2: Deploy a host-based intrusion detection solution
- 13.3: Deploy a network intrusion detection solution
- 13.4: Perform traffic filtering between network segments
- 13.5: Manage access control for remote assets
- 13.6: Collect network traffic flow logs
- 13.7: Deploy a host-based intrusion prevention solution
- 13.8: Deploy a network intrusion prevention solution
- 13.10: Perform application layer filtering
- 16.1: Establish and maintain a secure application development process
- 16.7: Use standard hardening configuration templates for application infrastructure
- 16.8: Separate production and non-production systems
OWASP 2021
- A04:2021: Insecure design
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
ISO27001
- A.13.1: Network security management
- A.14: System acquisition, development and maintenance
IGP: Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations.
You regularly review and update technical knowledge about network and information systems, such as documentation and network diagrams, and ensure they are securely stored.
You prevent, detect and remove malware or unauthorised software. You use technical, procedural and physical measures as necessary.
NIST SP800-53
- PL-9: Central management
- SC-2: Separation of system and user functionality
- SC-20: Secure name/address resolution service (authoritative source)
- SC-21: Secure name/address resolution service (recursive or caching resolver)
NCSC: 10 Steps to Cyber Security
Architecture and configuration
NCSC: Cloud Security Principles
Principle 12: Secure service administration
CIS-18
- 1.3: Utilise an active discovery tool
- 1.4: Use dynamic host configuration protocol (DHCP) logging to update enterprise asset inventory
- 1.5: Use a passive asset discovery tool
- 2.3: Address unauthorised software
- 2.4: Utilise automated software inventory tools
- 2.5: Allowlist authorised software
- 2.6: Allowlist authorised libraries
- 3.3: Configure data access control lists
- 4.11: Enforce remote wipe capability on portable end-user devices
- 4.6: Securely manage enterprise assets and software
- 4.7: Manage default accounts on enterprise assets and software
- 5.3: Disable dormant accounts
- 5.4: Restrict administrator privileges to dedicated administrator accounts
- 5.5: Establish and maintain an inventory of service accounts
- 6.2: Establish an access revoking process
- 6.7: Centralised access control
- 9.6: Block unnecessary file types
- 9.7: Deploy and maintain email server anti-malware protections
- 10.1: Deploy and maintain anti-malware software
- 10.5: Enable anti-exploitation features
- 10.6: Centrally manage anti-malware software
- 11.5: Test data recovery
- 12.3: Securely manage network infrastructure
- 12.6: Use of secure network management and communication protocols
- 12.8: Establish and maintain dedicated computing resources for all administrative work
- 13.5: Manage access control for remote assets
- 13.9: Deploy port-level access control
- 15.6: Monitor service providers
- 15.7: Securely decommission service providers
- 16.12: Implement code-level security checks
- 16.5: Use up-to-date and trusted third-party software components
- 16.10: Apply secure design principles in application architectures
OWASP 2021
- A04:2021: Insecure design
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
ISO27001
- A.13.1: Network security management
- A.14: System acquisition, development and maintenance
IGP: You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities.
Announced vulnerabilities for all software packages, network and information systems used to support your essential function(s) are tracked, prioritised and mitigated (for example, by patching) promptly.
You regularly test to fully understand the vulnerabilities of the network and information systems that support the operation of your essential function(s) and verify this understanding with third-party testing.
You maximise the use of supported software, firmware and hardware in your network and information systems supporting your essential function(s).
NIST SP800-53
- RA-5: Vulnerability monitoring and scanning
- SA-11(2): Developer testing and evaluation | Threat modelling and vulnerability analyses
- SA-15(7): Development process, standards, and tools | Automated vulnerability analysis
- SA-15(8): Development process, standards, and tools | Reuse of threat and vulnerability information
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 7.1: Establish and maintain a vulnerability management process
- 7.2: Establish and maintain a remediation process
- 7.3: Perform automated operating system patch management
- 7.4: Perform automated application patch management
- 7.5: Perform automated vulnerability scans of internal enterprise assets
- 7.6: Perform automated vulnerability scans of externally-exposed enterprise assets
- 7.7: Remediate detected vulnerabilities
- 16.2: Establish and maintain a process to accept and address software vulnerabilities
- 16.6: Establish and maintain a severity rating system and process for application vulnerabilities
OWASP 2021
- A04:2021: Insecure design
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
ISO27001
- A.13.1: Network security management
- A.14: System acquisition, development and maintenance
CAF principle B5: Resilient networks and systems
IGP: You have business continuity and disaster recovery plans that have been tested for practicality, effectiveness and completeness. Appropriate use is made of different test methods (for example, manual fail-over, table-top exercises, or red-teaming).
You use your security awareness and threat intelligence sources to identify new or heightened levels of risk, which result in immediate and potentially temporary security measures to enhance the security of your network and information systems (for example, in response to a widespread outbreak of very damaging malware).
NIST SP800-53
- IR-1: Policy and procedures
- IR-2: Incident response training
- IR-3: Testing
- IR-4: Incident handling
- IR-5: Incident monitoring
- IR-6: Incident reporting
- IR-7: Incident response assistance
- IR-8: Incident response plan
- CP-1 through CP-10: Contingency planning family
- CP-2: Contingency plan
- CP-4: Contingency plan testing
- CP-9: Information system backup
- PE-17: Alternate work site
- PM-30: Risk response
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 3: Separation between customers
CIS-18
- 11.4: Establish and maintain an isolated instance of recovery data
- 12.2: Establish and maintain a secure network architecture
- 18.1: Establish and maintain a penetration testing programme
- 3.12: Segment data processing and storage based on sensitivity
- 4.2: Establish and maintain a secure configuration process for network infrastructure
OWASP 2021
- A01:2021: Broken access control
- A02:2021: Cryptographic failures
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
- A10:2021: Server-side request forgery (SSRF)
ISO27001
- A.17: Information security aspects of business continuity management
- A.17.1: Information security continuity
- A.17.2: Redundancies
IGP: Network and information systems supporting the operation of your essential function(s) are segregated from other business and external systems by appropriate technical and physical means (for example, separate network and system infrastructure with independent user administration). Internet services are not accessible from network and information systems supporting the essential function(s).
You have identified and mitigated all resource limitations (for example, bandwidth limitations and single network paths).
You have identified and mitigated any geographical constraints or weaknesses (for example, systems that your essential function(s) depends upon are replicated in another location, important network connectivity has alternative physical paths and service providers).
You review and update assessments of dependencies, resource and geographical limitations and mitigations when necessary.
NIST SP800-53
- SC-6: Resource availability
- SC-24: Fail in known state
- SC-36: Distributed processing and storage
- CP-4: Contingency plan testing
- CP-6: Alternate storage site
- CP-7: Alternate processing site
- CP-10: System recovery and reconstitution
- IR-3: Incident response testing
- PM-11: Mission/business process definition
- PM-30: Risk response
- PL-8: Information security architecture
- RA-5: Vulnerability scanning
- SA-8: Security and privacy engineering principles
- SA-12: Supply chain protection
- SA-14: Criticality analysis
- SR-3: Supply chain controls and processes
- SR-5: System component authenticity
- SR-6: Component authenticity
NCSC: 10 Steps to Cyber Security
Architecture and configuration
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 2.7: Allowlist authorised scripts
- 3.3: Configure data access control lists
- 4.1: Establish and maintain a secure configuration process
- 4.2: Establish and maintain a secure configuration process for network infrastructure
- 4.3: Configure automatic session locking on enterprise assets
- 5.4: Restrict administrator privileges to dedicated administrator accounts
- 6.4: Require MFA for remote network access
- 6.5: Require MFA for administrative access
- 9.1: Ensure use of only fully supported browsers and email clients
- 9.4: Restrict unnecessary or unauthorised browser and email client extensions
- 11.4: Establish and maintain an isolated instance of recovery data
- 12.1: Ensure network infrastructure is up-to-date
- 12.3: Securely manage network infrastructure
- 12.5: Centralised network authentication, authorisation, and auditing (AAA)
- 13.3: Deploy a network intrusion detection solution
- 13.7: Deploy a host-based intrusion prevention solution
- 13.8: Deploy a network intrusion prevention solution
- 13.10: Perform application layer filtering
- 16.1: Establish and maintain a secure application development process
- 16.7: Use standard hardening configuration templates for application infrastructure
- 16.8: Separate production and non-production systems
OWASP 2021
- A05:2021: Security misconfiguration
- A01:2021: Broken access control
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
- A09:2021: Security logging and monitoring failures
ISO27001
A.5.29: Information security during disruption requires companies to maintain information security activities on proper levels during disruptive events, in order to keep information protected even during critical failure of operations.
IGP: Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event.
Backups of all important data and information needed to recover the essential function(s) are made, tested, documented and routinely reviewed.
NIST SP800-53
CP-9: System backup
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 2: Asset protection and resilience
CIS-18
- 11.2: Perform automated backups
- 11.3: Protect recovery data
OWASP 2021
- A01:2021: Broken access control
- A02:2021: Cryptographic failures
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5.4: Management responsibilities
- A.5.15: Access control
- A.5.24: Information security incident management planning and preparation
- A.5.26: Response to information security incidents
- A.6.1: Roles and responsibilities
- A.7.9: Physical security monitoring
- A.8.8: Information transfer
- A.8.12: Data leakage prevention
- A.8.13: Information backup
CAF principle B6: Staff awareness and training
IGP: Your executive management clearly and effectively communicates the organisation’s cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations.
People in your organisation raising potential cyber security incidents and issues are treated positively.
Individuals at all levels in your organisation routinely report concerns or issues about cyber security and are recognised for their contribution to keeping the organisation secure.
Your management is seen to be committed to and actively involved in cyber security.
Your organisation communicates openly about cyber security, with any concern being taken seriously.
People across your organisation participate in cyber security activities and improvements, building joint ownership and bringing knowledge of their area of expertise.
NIST SP800-53
AT-6: Training feedback
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 14.1: Establish and maintain a security awareness programme
- 14.2: Train workforce members to recognise social engineering attacks
- 14.3: Train workforce members on authentication best practices
- 14.4: Train workforce on data handling best practices
- 14.5: Train workforce members on causes of unintentional data exposure
- 14.6: Train workforce members on recognising and reporting security incidents
- 14.7: Train workforce on how to identify and report if their enterprise assets are missing security updates
- 14.8: Train workforce on the dangers of connecting to and transmitting enterprise data over insecure networks
- 14.9: Conduct role-specific security awareness and skills training
- 15.4: Ensure service provider contracts include security requirements
- 16.9: Train developers in application security concepts and secure coding
- 17.3: Establish and maintain an enterprise process for reporting incidents
- 17.4: Establish and maintain an incident response process
OWASP 2021
None
ISO27001
A.6.3: Information security awareness, education and training
IGP: All people in your organisation, from the most senior to the most junior, follow appropriate cyber security training paths.
Each individual’s cyber security training is tracked and refreshed at suitable intervals.
You routinely evaluate your cyber security training and awareness activities to ensure they reach the widest audience and are effective.
You make cyber security information and good practice guidance easily accessible, widely available and you know it is referenced and used within your organisation.
NIST SP800-53
- AT-2: Literacy training and awareness
- AT-3: Role-based training
- AT-4: Training records
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 4: Governance framework
CIS-18
- 14.1: Establish and maintain a security awareness programme
- 14.2: Train workforce members to recognise social engineering attacks
- 14.3: Train workforce members on authentication best practices
- 14.4: Train workforce on data handling best practices
- 14.5: Train workforce members on causes of unintentional data exposure
- 14.6: Train workforce members on recognising and reporting security incidents
- 14.7: Train workforce on how to identify and report if their enterprise assets are missing security updates
- 14.8: Train workforce on the dangers of connecting to and transmitting enterprise data over insecure networks
- 14.9: Conduct role-specific security awareness and skills training
- 16.9: Train developers in application security concepts and secure coding
OWASP 2021
None
ISO27001
A.6.3: Information security awareness, education and training
CAF objective C: Detecting cyber security events
CAF principle C1: Security monitoring
IGP: Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect the operation of your essential function(s) (for example, presence of malware, malicious emails, user policy violations).
Your monitoring data provides enough detail to reliably detect security incidents that could affect the operation of your essential function(s).
You easily detect the presence or absence of IoCs on your essential function(s), such as known malicious command and control signatures.
Extensive monitoring of user activity in relation to the operation of your essential function(s) enables you to detect policy violations and an agreed list of suspicious or undesirable behaviour.
You have extensive monitoring coverage that includes host-based monitoring and network gateways.
All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.
NIST SP800-53
- AU-2: Event logging
- AU-6: Audit record review, analysis and reporting
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 8.2: Collect audit logs
- 8.3: Ensure adequate audit log storage
- 8.4: Standardise time synchronisation
- 8.5: Collect detailed audit logs
- 8.6: Collect DNS query audit logs
- 8.7: Collect URL request audit logs
- 8.8: Collect command-line audit logs
- 8.11: Conduct audit log reviews
- 8.12: Collect service provider logs
- 13.2: Deploy a host-based intrusion detection solution
- 13.3: Deploy a network intrusion detection solution
- 13.6: Collect network traffic flow logs
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
IGP: The integrity of log data is protected, or any modification is detected and attributed.
The logging architecture has mechanisms, policies, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the essential function(s) itself, and the data within it.
Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.
Log data is synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways.
Access to log data is limited to those with business need and no others.
All actions involving all log data logging data (for example, copying, deleting or modification, or even viewing) can be traced back to a unique user.
Legitimate reasons for accessing log data are given in use policies.
NIST SP800-53
AU-9: Protection of audit information
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- Control 3.4: Establish and maintain a data management process
- Control 4.8: Manage access control lists
- Control 8.6: Collect detailed audit logs
- Control 8.7: Standardise time synchronisation
- Control 8.8: Centralise audit logs
- Control 8.9: Retain audit logs
- Control 8.10: Collect service provider logs
- Control 8.11: Review audit logs
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
IGP: Log data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.
A wide range of signatures and indicators of compromise is used for investigations of suspicious activity and alerts.
Alerts can be easily resolved to network assets using knowledge of networks and systems. The resolution of these alerts is performed in almost real time.
Security alerts relating to all essential function(s) are prioritised and this information is used to support incident management.
Logs are reviewed almost continuously, in real time.
Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.
NIST SP800-53
SI-5: Security alerts, advisories and directives
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 13.1: Centralised security event alerting
- 13.11: Tune security event alerting thresholds
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
IGP: You have selected threat intelligence sources or services using risk-based and threat-informed decisions based on your business needs and sector (for example, vendor reporting and patching, strong anti-virus providers, sector and community-based infoshare, special interest groups).
You apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.
You receive signature updates for all your protective technologies (for example,AV, IDS).
You track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (for example, sector partners, threat intelligence providers, government agencies).
NIST SP800-53
- IR-4: Incident handling
- IR-5: Incident monitoring
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 8.11: Conduct audit log reviews
- 9.7: Deploy and maintain email server anti-malware protections
- 10.1: Deploy and maintain anti-malware software
- 10.2: Configure automatic anti-malware signature updates
- 10.4: Configure automatic anti-malware scanning of removable media
- 10.5: Enable anti-exploitation features
- 10.7: Use behaviour-based anti-malware software
- 13.2: Deploy a host-based intrusion detection solution
- 13.3: Deploy a network intrusion detection solution
- 15.6: Monitor service providers
- 17.9: Establish and maintain security incident thresholds
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
IGP: You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance.
Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process.
Monitoring staff follow policies, processes and procedures that address all governance reporting requirements, internal and external.
Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.
Your monitoring tools make use of all log data collected to pinpoint activity within an incident.
Monitoring staff and tools drive and shape new log data collection and can make wide use of it.
Monitoring staff are aware of the operation of essential function(s) and related assets and can identify and prioritise alerts or investigations that relate to them.
NIST SP800-53
CA-7: Continuous monitoring
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 7.1: Establish and maintain a vulnerability management process
- 7.2: Establish and maintain a remediation process
- 8.1: Establish and maintain an audit log management process
- 8.11: Conduct audit log reviews
- 13.11: Tune security event alerting thresholds
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.5.30: Collection of evidence
- A.8.16: Monitoring activities
- A.8.7: Protection against malware
- A.5.23: Information security for use of cloud services
- A.5.24: Information security incident management planning and preparation
- A.5.25: Assessment and decision on information security events
- A.5.26: Response to information security incidents
CAF principle C2: Proactive security event discovery
IGP: Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (for example, you fully understand which systems should and should not communicate and when).
System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.
The system abnormalities you search for consider the nature of attacks likely to impact on the network and information systems supporting the operation of your essential function(s).
The system abnormality descriptions you use are updated to reflect changes in your network and information systems and current threat intelligence.
NIST SP800-53
SI-4: System monitoring
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- Control 13.1: Centralise security event alerting
- Control 13.2: Deploy a SIEM system
- Control 13.3: Tune security event alerting
- Control 8.8: Centralise audit logs
- Control 12.1: Ensure network infrastructure is up-to-date
- Control 13.4: Conduct security event analyses
- Control 14.1: Perform regular threat hunting activities
- Control 3.4: Establish and maintain a data management process
- Control 4.1: Establish and maintain a secure configuration process
- Control 17.1: Design incident response capability
- Control 17.2: Assign key roles and responsibilities
OWASP 2021
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
IGP: You routinely search for system abnormalities indicative of malicious activity on the network and information systems supporting the operation of your essential function(s), generating alerts based on the results of such searches.
You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.
NIST SP800-53
- IR-4: Incident handling
- SI-5: Security alerts, advisories and directives
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 1.3: Utilise an active discovery tool
- 1.5: Use a passive asset discovery tool
- 2.4: Utilise automated software inventory tools
- 9.6: Block unnecessary file types
- 9.7: Deploy and maintain email server anti-malware protections
- 10.1: Deploy and maintain anti-malware software
- 10.2: Configure automatic anti-malware signature updates
- 10.4: Configure automatic anti-malware scanning of removable media
- 10.5: Enable anti-exploitation features
- 10.7: Use behaviour-based anti-malware software
- 13.11: Tune security event alerting thresholds
- 16.13: Conduct application penetration testing
- 18.2: Perform periodic external penetration tests
- 18.5: Perform periodic internal penetration tests
OWASP 2021
ISO27001
- A.12: Operations security
- A.12.4: Logging and monitoring
- A.12.6: Security incident management
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
CAF objective D: Minimising the impact of cyber security incidents
CAF principle D1: Response and recovery planning
IGP: Your incident response plan is based on a clear understanding of the security risks to the network and information systems supporting your essential function(s).
Your incident response plan is comprehensive (that is, it covers the complete life cycle of an incident, roles and responsibilities, and reporting) and covers likely impacts of both known attack patterns and of possible attacks, previously unseen.
Your incident response plan is documented and integrated with wider organisational business plans and supply chain response plans as well as dependencies on supporting infrastructure (for example, power, cooling and so on).
Your incident response plan is communicated and understood by the business areas involved with the operation of your essential function(s).
NIST SP800-53
CP-1: Contingency planning
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 11.1: Establish and maintain a data recovery process
- 17.1: Designate personnel to manage incident handling
- 17.2: Establish and maintain contact information for reporting security incidents
- 17.3: Establish and maintain an enterprise process for reporting incidents
- 17.4: Establish and maintain an incident response process
- 17.5: Assign key roles and responsibilities
- 17.6: Define mechanisms for communicating during incident response
- 17.8: Conduct post-incident reviews
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
- A.16.1.1: Responsibilities and procedures
- A.16.1.2: Reporting information security events
- A.17: Information security aspects of business continuity management
- A.17.1: Information security continuity
- A.17.2: Redundancies
- A.17.3: Capacity and performance planning
IGP: You understand the resources that will likely be needed to carry out any required response activities, and arrangements are in place to make these resources available.
You understand the types of information that will likely be needed to inform response decisions and arrangements are in place to make this information available.
Your response team members have the skills and knowledge required to decide on the response actions necessary to limit harm, and the authority to carry them out.
Key roles are duplicated, and operational delivery knowledge is shared with all individuals involved in the operations and recovery of the essential function(s).
Back-up mechanisms are available that can be readily activated to allow continued operation of your essential function(s), although possibly at a reduced level, if primary network and information systems fail or are unavailable.
Arrangements exist to augment your organisation’s incident response capabilities with external support if necessary (for example, specialist cyber incident responders).
NIST SP800-53
CP-2: Contingency plan
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 11.1: Establish and maintain a data recovery process
- 17.1: Designate personnel to manage incident handling
- 17.2: Establish and maintain contact information for reporting security incidents
- 17.3: Establish and maintain an enterprise process for reporting incidents
- 17.4: Establish and maintain an incident response process
- 17.8: Conduct post-incident reviews
- 17.9: Establish and maintain security incident thresholds
OWASP 2021
A09:2021: Security logging and monitoring failures
ISO27001
- A.16: Information security incident management
- A.16.1: Management of information security incidents and improvements
- A.16.1.1: Responsibilities and procedures
- A.16.1.2: Reporting information security events
- A.17: Information security aspects of business continuity management
- A.17.1: Information security continuity
- A.17.2: Redundancies
- A.17.3: Capacity and performance planning
IGP: Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence.
Exercise scenarios are documented, regularly reviewed, and validated.
Exercises are routinely run, with the findings documented and used to refine incident response plans and protective security, in line with the lessons learned.
Exercises test all parts of your response cycle relating to your essential function(s) (for example, restoration of normal function(s) levels).
NIST SP800-53
CP-3: Contingency training
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 11.1: Establish and maintain a data recovery process
- 16.14: Conduct threat modelling
- 17.7: Conduct routine incident response exercises
OWASP 2021
- A01:2021: Broken access control
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5.2: Information security roles and responsibilities
- A.5.29: Information security during disruption
- A.5.30: ICT readiness for business continuity
- A.6.3: Information security awareness, education and training
- A.10.1: Continual improvement
CAF principle D2: Lessons learned
IGP: Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident.
Your root cause analysis is comprehensive, covering organisational process issues, as well as vulnerabilities in your networks, systems or software.
All relevant incident data is made available to the analysis team to perform root cause analysis.
NIST SP800-53
IR-6: Incident reporting
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 8.11: Conduct audit log reviews
- 17.8: Conduct post-incident reviews
OWASP 2021
- A01:2021: Broken access control
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5.2: Information security roles and responsibilities
- A.5.29: Information security during disruption
- A.5.30: ICT readiness for business continuity
- A.6.3: Information security awareness, education and training
- A.10.1: Continual improvement
IGP: You have a documented incident review process/policy which ensures that lessons learned from each incident are identified, captured, and acted upon.
Lessons learned cover issues with reporting, roles, governance, skills and organisational processes as well as technical aspects of network and information systems.
You use lessons learned to improve security measures, including updating and retesting response plans when necessary.
Security improvements identified as a result of lessons learned are prioritised, with the highest priority improvements completed quickly.
Analysis is fed to senior management and incorporated into risk management and continuous improvement.
NIST SP800-53
IR-2: Incident response training
NCSC: 10 Steps to Cyber Security
NCSC: Cloud Security Principles
Principle 5: Operational security
CIS-18
- 16.14: Conduct threat modeling
- 17.8: Conduct post-incident reviews
OWASP 2021
- A01:2021: Broken access control
- A05:2021: Security misconfiguration
- A06:2021: Vulnerable and outdated components
- A07:2021: Identification and authentication failures
- A09:2021: Security logging and monitoring failures
ISO27001
- A.5.1: Policies for information security
- A.5.2: Information security roles and responsibilities
- A.5.30: ICT readiness for business continuity
- A.6.3: Information security awareness, education and training
- A.10.1: Continual improvement