Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • The Cyber Assessment Framework: Guided Cyber Resilience
  • Cyber Attacks
  • Data Breach

The Cyber Assessment Framework: Guided Cyber Resilience

4 years ago Bob Covello
The Cyber Assessment Framework: Guided Cyber Resilience

Remember how, just a few years ago, many organizations were striving to be cyber secure? Over the last years, it seemed that crowing about one’s cybersecurity posture became the very thing that mocked every organization that was the victim of a newsworthy compromise. Many organizations began augmenting their previously acclaimed security posture towards one of cyber resilience.  

In 2019, the National Cyber Security Center (NCSC) released guidance that could assist organizations to achieve the flexibility to respond effectively to security incidents. The Cyber Assessment Framework (CAF) is offered as a free tool to help any company achieve resilience in the face of a cyber emergency.

The Death of “Check-the-Box” Security

The CAF functions in the same way that NIST guidelines function. The document offers 14 “principles.” The entire approach to this NCSC guidance is a broad shift from how many security frameworks are followed. Specifically, “The 14 principles are written in terms of outcomes, i.e., specification of what needs to be achieved rather than a checklist of what needs to be done.”

For Example…

The guidance defines a new acronym, IGP, which represents “Indicators of Good Practice.” Most security professionals are keenly aware of Indicators of Compromise (IOC), so they may find this new acronym somewhat humorous. 

The 14 principles are set under 4 broader objectives:

  • Objective A: Managing security risk through four principles.
  • Objective B: Protecting against cyber attack through six principles.
  • Objective C: Detecting cyber security events through two principles.
  • Objective D: Minimizing the impact of cyber security incidents through two principles.

Objectives A and B contain the most subheadings, but that does not mean that the sparser requirements of Objectives C and D are any easier to achieve. 

Objective A includes governance, risk management, asset management, and supply chain security. In most companies, stewarding these vast goals comprises full-time roles within many organizations. In the largest organizations, there are entire departments dedicated to each of these principles.

Objective B includes more of the granular responsibilities of a corporate security operation including identity and access control, data security, system security, and security awareness training. This objective also contains service protection policies and processes as well as a principle of resilient networks and systems. 

Service protection and policies would probably strike most practitioners as more appropriately placed under Objective A, as many policies often flow from the governance rather than a security discipline. However, it is perfectly reasonable that security-specific policies could originate from the security department, so the NCSC logic appears to make sense. 

At first glance, the principle of resilient networks and systems seems to suffer from circular reasoning since the overall purpose of the CAF is to help an organization achieve resilience. However, the NCSC explains in the preface to the CAF that: “Objectives C, and D, are centered around monitoring and response.”

Thoroughly Comprehensive, with a Touch of Direction

The CAF seems to mimic many other frameworks, and some of the principles have already been codified into various regulations, as well. What makes the online version particularly useful is that each objective and principle include links to external, industry-accepted resources that either explain or offer further guidance. This is a rabbit hole of information of the best type.

Not Intended for Internal Use Only

One of the most important points made in the introduction to the CAF is that:

It is intended to be used either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator or a suitably qualified organisation acting on behalf of a regulator.

Nothing could be a fairer warning that this tool will be wielded by others to evaluate an organization. It is easy to surmise that an auditor may use the CAF to examine a company’s resiliency, but it is equally possible that a “suitably qualified organization” could be an insurance company evaluating an organization’s worthiness to possess cyber insurance. 

How Tripwire Can Help

Whether your organization is just beginning its transition from readiness to resilience or if you are fully underway in this next approach to cybersecurity, there are many aspects of the CAF that should not be “home grown.” Tripwire’s full platform of products can help an organization succeed in becoming both ready and resilient. Schedule a demo of Tripwire Enterprise or any of our other products to see how we can add value to your cybersecurity program.

The post ” The Cyber Assessment Framework: Guided Cyber Resilience” appeared first on TripWire

Source:TripWire – Bob Covello

Tags: Goverment, TripWire

Continue Reading

Previous Introduction of DNS tunneling and how attackers use it.
Next PCI DSS 4.0 is Here: What you Need to Consider

More Stories

  • Cyber Attacks
  • Data Breach

Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

16 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

16 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

20 hours ago [email protected] (The Hacker News)

Recent Posts

  • Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox
  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT