Skip to content

Cyber Assessment Framework – Alsid Alignment For Key Service Sectors in the United Kingdom

What is CAF?

Developed by the National Cyber Security Centre (NCSC), the Cyber Assessment Framework (CAF) establishes a strategic and systematic methodology for the Financial Services sector, amongst other vital service sectors, to help enable a specified level of cyber resilience.

Based on 14 key principles that can vary according to an organisation’s conditions, the principles govern a wide array of complete cybersecurity outcomes and are built on numerous contributing secondary principles. Each principle can be broken down into indicators of good practice (IGP), which subsequently produces 39 various outcomes. The level of cyber resilience is determined by a score for each outcome.

Why Implement CAF in your Organisation?

The 14 key principles are split between four primary objectives and cover the most vital initiatives in which a company should be fully vested. These include:

• Managing security risk
• Protecting against cyberattacks
• Detecting cybersecurity events
• Minimizing the impact of cybersecurity incidents

Each of the primary objectives is generic in theory and applies to any industry sector. Each objective and its corresponding principles, outcomes, and indicators of good practice can be interpreted per sector, with each sector’s regulation body adding their interpretation of the framework. The broad framework serves as a blueprint for establishing and demonstrating cyber resilience in the case of an unexpected attack. Additionally, the framework enables organisations to implement regulatory compliance related to their specific industry sector.

Alsid for AD & CAF

Regardless of the organisational structure, Active Directory forms an integral part of a company’s vital assets. As seen in recent years, Active Directory has increasingly become an attractive target for hackers trying to sabotage or take over such an important entity.

Using Alsid’s four-pillar approach for Active Directory security, organisations can rest assured that their directory infrastructure is being monitored and protected in real time, with the industry’s most comprehensive security tool specifically focused on Active Directory.

Find and fix your existing weaknesses

  • Immediately discover, map, and score existing weaknesses
  • Follow our step-by-step remediation tactics and prevent attacks

AD admins, blue teams, and auditors

Uncover new attack pathways

  • Continuously identify new vulnerabilities and misconfigurations
  • Break attack pathways and keep your threat exposure in check

AD admin and SOC analyst

Investigate incidents & hunt for threats

  • Search and correlate AD changes at object and attribute levels
  • Trigger response playbooks in your SOAR

Incident responder and threat hunters

Detect ongoing attacks in real time

  • Get alerts and actionable remediation plans on AD attacks
  • Help your SOC team visualize notifications & alerts in your SIEM

Threat hunters and SOC analyst

Our four-pillar approach to AD security goes beyond just compliance and auditing activity and is closely aligned with a multitude of principles listed in the recommended framework. The CAF principles and their corresponding IGPs below are major focus areas that can be addressed when implementing Alsid for AD.

CAF Principles

Alsid for AD is an agent-less, cloud-based platform dedicated to Active Directory security. Alsid hardens your directory infrastructure, enriches your SOC capabilities with AD threat detection, and empowers your incident response and hunting teams into investigating AD-related threats.

Principle: A2


Principle: B2


Principle: B5


Principle: C2  


Risk Management The organisation takes appropriate steps to identify, assess, and understand security risks to the network and information systems supporting the operation of essential functions. This includes an overall organisational approach to risk management. Identity and Access Control The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated, and authorised. Resilient Networks and Systems The organisation builds resilience against cyber-attack and system failure into the design, implementation, operation, and management of systems that support the operation of essential functions. Proactive Security Event Discovery The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based security prevent/detect solutions (or when standard solutions are not deployable).


Risk Management Process: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities B2.a Identity Verification, Authentication and Authorisation:
You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.
B5.a Resilience Preparation:
You are prepared to restore the operation of your essential function following adverse impact 
C2.a  System Abnormalities for Attack Detection:
You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
    B2.c Privileged User Management:
You closely manage privileged user access to networks and information systems supporting the essential function. 

Design for Resilience:
You design the network and information systems supporting your essential function to be resilient to cybersecurity incidents. Systems are appropriately segregated and resource limitations are mitigated.

C2.b   Proactive Attack Discovery:
You use an informed understanding of more sophisticated attack methods and normal system behaviour to monitor proactively for malicious activity.
    B2.d Identity and Access Management (IdAM) :
You assure good management and maintenance of identity and access control for your networks and information systems supporting the essential function.
C1.a Monitoring Coverage:
The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. 
    B4.a Secure by Design: You design security into the network and information systems that support the operation of essential functions.  You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. C1.c   Generating Alerts:
Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

Secure Configuration:
You securely configure the network and information systems that support the operation of essential functions.


Identifying Security Incidents: You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response

    B4.c Secure Management:
You manage your organisation’s network and information systems that support the operation of essential functions to enable and maintain security.
    B4.d Vulnerability Management:
You manage known vulnerabilities in your network and information systems to prevent an adverse impact on the essential function.

As a general framework provided by NCSC, it is important to note that these steps should be used as a guide only, and any specific initiatives for ensuring Active Directory security specifically should involve a detailed analysis of your directory with an Alsid specialist. For more information, contact us.

Comments are closed.

Download pdf