National Cyber Security Centre - Cyber Assessment Framework (CAF)
Disclaimer: Organizations are not required by law to comply with this document unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence.
The NCSC is the United Kingdom's (UK) national technical authority for information assurance providing advice and guidance on cybersecurity. In alignment with the UK Government's National Cyber Strategy 2022, the CAF consists of a set of cyber security & resilience principles, together with guidance on using and applying the principles. The Cyber Assessment Framework (CAF), as defined by the National Cyber Security Centre (NCSC), aims to improve the security of network and information systems across the UK, with a particular focus on essential functions which, if compromised, could potentially cause significant damage to the economy, society, the environment, and individuals’ welfare, including loss of life. The cybersecurity landscape had historically been governed in the form of the Good Practice Guide 13 (GPG 13), which provided a very specific framework by which entities could be secured; however, it is now deprecated. The NCSC seeks to be a single refuge for cybersecurity guidance and support providing resources that will help entities achieve security in their environments based upon that specific business. The CAF is the more flexible answer to what was once a very prescriptive set of controls. The NCSC module is based upon the four (4) CAF objectives and fourteen (14) principles. LogRhythm has aligned a set of rules, alarms, reports, and investigations that will assist our customers with controls they likely will have in place based on those principles.
- Objective A: Managing security risk
- A.1 Governance
- Putting in place the policies and processes which govern your organization's approach to the security of network and information systems.
- A.2 Risk management
- Identification, assessment and understanding of security risks. And the establishment of an overall organizational approach to risk management.
- A.3 Asset management
- Determining and understanding all systems and/or services required to maintain or support essential functions.
- A.4 Supply chain
- Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.
- A.1 Governance
Objective B: Protecting against cyber attack
B.1 Service protection policies and processes
Defining and communicating appropriate organizational policies and processes to secure systems and data that support the operation of essential functions.
B.2 Identity and access control
Understanding, documenting and controlling access to networks and information systems supporting essential functions.
B.3 Data security
Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
B.4 System Security
Protecting critical network and information systems and technology from cyber attack.
B.5 Resilient networks and systems
Building resilience against cyber attack.
B.6 Staff awareness and training
Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Objective C: Detecting cybersecurity events
C.1 Security Monitoring
Monitoring to detect potential security problems and track the effectiveness of existing security measures.
C.2 Proactive security event discovery
Detecting anomalous events in relevant network and information systems.
Objective D: Minimizing the impact of cybersecurity incidents
D.1 Response and recovery planning
Putting suitable incident management and mitigation processes in place.
D.2 Lessons learned
Learning from incidents and implementing these lessons to improve the resilience of essential functions.
The LogRhythm platform enables your organization to meet many NCSC CAF guidelines by collecting, managing, and analyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality also help your organization satisfy certain IT security elements outlined by NCSC CAF.
LogRhythm understands that organizations may be at different points of compliance maturity; the NCSC CAF module is intended to assist organizations in implementing the appropriate level of security controls for their organization whether they're just starting to evaluate CAF for their cybersecurity needs or have been using it for years. LogRhythm supports many of the NCSC CAF objectives and decreases the cost of meeting others through pre-built content and functionality. Using advanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content like MITRE ATT&CK, and Case Management may enhance pre-built content to better support an organization's compliance efforts.
IT environments consist of heterogeneous devices, systems, and applications, all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. The NCSC CAF module and associated reporting package work out of the box with some level of customization available. Utilizing the NCSC CAF module assists in building and maintaining a sound compliance program.
This document is divided into the following sections: