Skip to content

CAF Framework – Alsid Alignment – For Banking & Finance and other Key UK services Sectors

Principle: A2 Risk Management

The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management.

A2.a Risk Management Process

Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.

Principle: B2 Identity and Access Control

The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised.

B2.a Identity Verification, Authentication and Authorisation

You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.

B2.c Privileged User Management

You closely manage privileged user access to networks and information systems supporting the essential function.

B2.d Identity and Access Management (IdAM)

You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential function.

B4.a Secure by Design

You design security into the network and information systems that support the operation of essential functions.  You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.

B4.b Secure Configuration

You securely configure the network and information systems that support the operation of essential functions.

B4.c Secure Management

You manage your organisation’s network and information systems that support the operation of essential functions to enable and maintain security.

B4.d.  Vulnerability Management

You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.

Principle: B5 Resilient Networks and Systems

The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the operation of essential functions.

B5.a Resilience Preparation

You are prepared to restore the operation of your essential function following adverse impact

B5.b Design for Resilience

You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.

C1.a Monitoring Coverage

The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.

C1.c   Generating Alerts

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

C1.d Identifying Security Incidents

You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

Principle: C2   Proactive Security Event Discovery

The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).

C2.a  System Abnormalities for Attack Detection

You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.

C2.b   Proactive Attack Discovery

You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

Comments are closed.