Remember how, just a few years ago, many organizations were striving to be cyber secure? Over the last years, it seemed that crowing about one’s cybersecurity posture became the very thing that mocked every organization that was the victim of a newsworthy compromise. Many organizations began augmenting their previously acclaimed security posture towards one of cyber resilience.  

In 2019, the National Cyber Security Center (NCSC) released guidance that could assist organizations to achieve the flexibility to respond effectively to security incidents. The Cyber Assessment Framework (CAF) is offered as a free tool to help any company achieve resilience in the face of a cyber emergency.

The Death of “Check-the-Box” Security

The CAF functions in the same way that NIST guidelines function. The document offers 14 “principles.” The entire approach to this NCSC guidance is a broad shift from how many security frameworks are followed. Specifically, “The 14 principles are written in terms of outcomes, i.e., specification of what needs to be achieved rather than a checklist of what needs to be done.”

For Example…

The guidance defines a new acronym, IGP, which represents “Indicators of Good Practice.” Most security professionals are keenly aware of Indicators of Compromise (IOC), so they may find this new acronym somewhat humorous. 

The 14 principles are set under 4 broader objectives:

  • Objective A: Managing security risk through four principles.
  • Objective B: Protecting against cyber attack through six principles.
  • Objective C: Detecting cyber security events through two principles.
  • Objective D: Minimizing the impact of cyber security incidents through two principles.

Objectives A and B contain the most subheadings, but that does not mean that the sparser requirements of Objectives C and D are any easier to achieve. 

Objective A includes governance, risk management, asset (Read more...)