Sign-up for a RiskTree trial >>

RiskTree purple logo

Using the Cyber Assessment Framework (CAF) in practice

using the CAF in practice

Using the CAF in practice.

by Tony Badsey-Ellis

 

If you’ve read our earlier blogs about the Cyber Assessment Framework (CAF), you’ll know that it isn’t intended to be a checklist. It’s outcome-based, allowing users to meet the outcome in the best way that suits them and their system. There are, however, some cross-dependencies between the various Contributing Outcomes, as we identified during our work to create GovAssure.

At the top level, there are dependencies between the four high-level objectives, as shown in the diagram below.

Outcome-level dependencies

A far more complex web of dependencies exists between the Contributing Outcomes (CO). Within the GovAssure team, we reviewed each CO in turn and looked at dependencies for each. This was tabulated at first, but this wasn’t a very satisfactory way of showing the links, as some COs are depended on by multiple other COs. A table didn’t make this clear and meant that anyone using the table would end up backtracking repeatedly.

I enjoy finding interesting ways to represent data visually, especially cross-fertilising ideas from other sectors. The discovery of an unusual chart style showing train services on the West Coast Main Line planted the seed of an idea in my mind, and I started to play around with a similar concept for the CAF.

Chord diagram

What I discovered is called a chord diagram because the lines cut across the circle, forming ‘chords’. Some experimentation revealed that the diagram was made more evident if the chord lines were curved. Next, I introduced colour to represent the different objectives, as this would highlight where COs from other objectives were dependent. The arrows have the same colour if the start and end are within the same Objective; if not, the ends are coloured for the Objective at the opposite end, as this makes the dependency more obvious.

CAF chord diagram

CAF Chord diagram

This diagram shows the dependancies between the 39 Contributing Outcomes defined in the Cyber Assessment Framework created by the NCSC.

To simplify the diagram, it is assumed that Risk Management (A2.a), Asset Management (A3.a), and Cyber Security Training (B6.b) are already in place, and hence not all links are shown back to these.

Thanks to the Government Security Group, National Cyber Security Centre, and Cyber GSeC Team for the work that we did in compiling the data for this diagram.

In drawing the diagram, I also found some circular dependencies that need to be avoided (otherwise, where does one start in assessing these COs?). We conducted another review of the dependencies to eliminate these.

Once the diagram was complete, it was then an easy exercise to identify those nodes that have no dependencies (and so should be assessed earlier) and those that only have dependencies (and therefore should be tackled later).

One point to note is that the view was taken that three of the Contributing Outcomes were seen as being fundamental to a CAF assessment and had a large number of other COs that depend on them. These dependencies have been removed and replaced by a note to reduce clutter on the diagram. They are:

    • A2.a – Risk Management
    • A3.a – Asset Management
    • B6.b – Training

Observations

This fits with the original block diagram in that it shows that the only dependencies on Objective D are from other COs in Objective D; Objective C is depended on by COs in Objectives C and D, and the same goes for Objective B.

There are no dependencies either way with Principle C2 – Proactive Security Event Discovery because this area is deemed (currently) to be above the level of the baseline profile.

The following COs do not depend on any others and so are good places to start a CAF assessment:

    • A1.a – Board direction
    • A3.a – Asset Management
    • B1.a – Policy and Process Development
    • B2.c – Privileged User Management
    • B3.a – Understanding data
    • B3.e – Media/equipment sanitisation
    • B4.d – Vulnerability management
    • B5.a – Resilience preparation
    • B5.b – Design for resilience

Of course, this is a view of the CAF that we have taken whilst creating GovAssure. Your systems and organisation might take a different approach because of how you work, and other factors might mean you must complete your CAF assessment in a different order. If so, consider how you see the dependencies and create your chord diagram to help you progress through the CAF.

Read more about the CAF here.

2T Security became one of the first NCSC-assured cybersecurity consultancies to offer GovAssure services. You can find out more here

Contact us

Please get in touch with us for more information about how RiskTree or 2T Security can help with CAF-based work.

Twitter
LinkedIn

Discover more from 2T Security

Subscribe now to keep reading and get access to the full archive.

Continue reading