Catalyst / admin/Strike 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Strike

public

Web-Based UK Cyber Compliance Tool with Reporting

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Strike / strikexi-v2 / db / sample_caf_questions.json 4650 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
  "_comment": "Full NCSC CAF taxonomy: 4 objectives, 14 principles, one weighted question each, plus CAF context/narrative ('guidance') explaining the basis of each question and what 'good' looks like. Mirrors db/init/02_seed.sql. Score is fraction of full marks (0-1); weight is relative importance within the principle. Each principle maps to a principle-specific remediation.",
  "objectives": [
    { "id": "A", "title": "Managing security risk" },
    { "id": "B", "title": "Protecting against cyber attack" },
    { "id": "C", "title": "Detecting cyber security events" },
    { "id": "D", "title": "Minimising the impact of incidents" }
  ],
  "answer_scale": [
    { "label": "Achieved", "score": 1.0 },
    { "label": "Partially achieved", "score": 0.5 },
    { "label": "Not achieved", "score": 0.0 }
  ],
  "principles": [
    { "id": "A1", "objective": "A", "title": "Governance",                               "question": "Is there a board-level individual accountable for cyber security, with clear governance structures and policies that are regularly reviewed?", "guidance": "CAF Objective A is about managing security risk. Principle A1 (Governance) expects senior-level direction and oversight of cyber security, with appropriate policies, defined responsibilities and an agreed risk appetite. 'Achieved' means a named board-level owner is accountable and governance is documented and reviewed regularly.", "weight": 2.0 },
    { "id": "A2", "objective": "A", "title": "Risk management",                          "question": "Do you maintain a documented cyber security risk assessment process and a risk register that is reviewed at planned intervals?", "weight": 1.5 },
    { "id": "A3", "objective": "A", "title": "Asset management",                         "question": "Do you maintain a complete and current inventory of the assets required to deliver your essential functions?", "weight": 1.5 },
    { "id": "A4", "objective": "A", "title": "Supply chain",                             "question": "Do you identify, assess and manage the cyber security risks introduced by your suppliers and third parties?", "weight": 1.5 },
    { "id": "B1", "objective": "B", "title": "Service protection policies and processes","question": "Are security policies and processes defined, approved, communicated and enforced across the organisation?", "weight": 1.5 },
    { "id": "B2", "objective": "B", "title": "Identity and access control",            "question": "Is multi-factor authentication enforced and are access rights granted on a least-privilege basis and reviewed regularly?", "weight": 2.0 },
    { "id": "B3", "objective": "B", "title": "Data security",                           "question": "Is sensitive data protected at rest and in transit using appropriate encryption and access controls?", "weight": 2.0 },
    { "id": "B4", "objective": "B", "title": "System security",                         "question": "Are systems securely configured, hardened and patched against known vulnerabilities within defined timeframes?", "weight": 2.0 },
    { "id": "B5", "objective": "B", "title": "Resilient networks and systems",         "question": "Are networks and systems designed for resilience, with tested backups and redundancy for essential functions?", "weight": 1.5 },
    { "id": "B6", "objective": "B", "title": "Staff awareness and training",           "question": "Do staff receive role-appropriate cyber security awareness training on a recurring basis?", "weight": 1.0 },
    { "id": "C1", "objective": "C", "title": "Security monitoring",                     "question": "Do you collect and centrally monitor security logs from key systems to detect potential security events?", "weight": 1.5 },
    { "id": "C2", "objective": "C", "title": "Proactive security event discovery",     "question": "Do you proactively hunt for and investigate anomalous activity that routine monitoring might miss?", "weight": 1.5 },
    { "id": "D1", "objective": "D", "title": "Response and recovery planning",          "question": "Do you have a documented and tested incident response and recovery plan covering your essential functions?", "weight": 2.0 },
    { "id": "D2", "objective": "D", "title": "Lessons learned",                         "question": "After an incident, do you conduct root-cause analysis and feed lessons learned back into your controls?", "weight": 1.0 }
  ],
  "remediation_threshold": 0.7,
  "_note": "If a principle's normalised score is below remediation_threshold, the mapped principle-specific remediation is queued into the roadmap with detailed mitigation guidance referencing that principle."
}