Using the CAF in practice.
by Tony Badsey-Ellis
If you’ve read our earlier blogs about the Cyber Assessment Framework (CAF), you’ll know that it isn’t intended to be a checklist. It’s outcome-based, allowing users to meet the outcome in the best way that suits them and their system. There are, however, some cross-dependencies between the various Contributing Outcomes, as we identified during our work to create GovAssure.
At the top level, there are dependencies between the four high-level objectives, as shown in the diagram below.
Outcome-level dependencies
A far more complex web of dependencies exists between the Contributing Outcomes (CO). Within the GovAssure team, we reviewed each CO in turn and looked at dependencies for each. This was tabulated at first, but this wasn’t a very satisfactory way of showing the links, as some COs are depended on by multiple other COs. A table didn’t make this clear and meant that anyone using the table would end up backtracking repeatedly.
I enjoy finding interesting ways to represent data visually, especially cross-fertilising ideas from other sectors. The discovery of an unusual chart style showing train services on the West Coast Main Line planted the seed of an idea in my mind, and I started to play around with a similar concept for the CAF.
Chord diagram
What I discovered is called a chord diagram because the lines cut across the circle, forming ‘chords’. Some experimentation revealed that the diagram was made more evident if the chord lines were curved. Next, I introduced colour to represent the different objectives, as this would highlight where COs from other objectives were dependent. The arrows have the same colour if the start and end are within the same Objective; if not, the ends are coloured for the Objective at the opposite end, as this makes the dependency more obvious.
CAF Chord diagram
This diagram shows the dependancies between the 39 Contributing Outcomes defined in the Cyber Assessment Framework created by the NCSC.
Click on a circle or arrow to explore.
|
To simplify the diagram, it is assumed that Risk Management (A2.a), Asset Management (A3.a), and Cyber Security Training (B6.b) are already in place, and hence not all links are shown back to these.
Thanks to the Government Security Group, National Cyber Security Centre, and Cyber GSeC Team for the work that we did in compiling the data for this diagram.