CYBER ASSESSMENT FRAMEWORK (CAF)
To comply with the requirements of the Civil Contingency Act 2007 (the “Act”), a designated Operator of Essential Services (“OES”) must take appropriate and proportionate technical and organisational measures to manage the risks to the security of network and information systems, which support the delivery of essential services.
The Cyber Assessment Framework (“CAF”) was developed in accordance with section 54 of the Act, to provide guidance to OESs and particularly, to provide the GRA with the capability to assess the extent to which OESs are achieving the required levels of cyber security. The CAF is based on the UK’s framework and is used as a tool whereby the GRA liaises with the different OESs in order to tailor the CAF to each sector profile.
The general CAF is based on the following four main objectives:
A: Managing security risk
B: Protecting against cyber attack
C: Detecting cyber security incidents
D: Minimising the impact of cyber security incidents
The CAF is further broken down into 14 specific principles that are based on sets of indicators of good practice. These are:
|
Principles |
Objectives |
|
Governance |
Managing Security Risk |
|
Risk Management |
|
|
Asset Management |
|
|
Supply Chain |
|
|
Service Protection Policies and Processes |
Defending systems against cyber attack |
|
Identity and Access Control |
|
|
Data Security |
|
|
System Security |
|
|
Resilient Networks & Systems |
|
|
Staff Awareness & Training |
|
|
Security Monitoring |
Detecting cyber security events |
|
Proactive Security Event Discovery |
|
|
Response and Recovery Planning |
Minimising the impact of cyber security incidents |
|
Improvements |
The CAF can be reviewed and downloaded below.