admin / Strike
publicWeb-Based UK Cyber Compliance Tool with Reporting
Strike / strikexi-v2 / db / sample_caf_questions.json
4650 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | { "_comment": "Full NCSC CAF taxonomy: 4 objectives, 14 principles, one weighted question each, plus CAF context/narrative ('guidance') explaining the basis of each question and what 'good' looks like. Mirrors db/init/02_seed.sql. Score is fraction of full marks (0-1); weight is relative importance within the principle. Each principle maps to a principle-specific remediation.", "objectives": [ { "id": "A", "title": "Managing security risk" }, { "id": "B", "title": "Protecting against cyber attack" }, { "id": "C", "title": "Detecting cyber security events" }, { "id": "D", "title": "Minimising the impact of incidents" } ], "answer_scale": [ { "label": "Achieved", "score": 1.0 }, { "label": "Partially achieved", "score": 0.5 }, { "label": "Not achieved", "score": 0.0 } ], "principles": [ { "id": "A1", "objective": "A", "title": "Governance", "question": "Is there a board-level individual accountable for cyber security, with clear governance structures and policies that are regularly reviewed?", "guidance": "CAF Objective A is about managing security risk. Principle A1 (Governance) expects senior-level direction and oversight of cyber security, with appropriate policies, defined responsibilities and an agreed risk appetite. 'Achieved' means a named board-level owner is accountable and governance is documented and reviewed regularly.", "weight": 2.0 }, { "id": "A2", "objective": "A", "title": "Risk management", "question": "Do you maintain a documented cyber security risk assessment process and a risk register that is reviewed at planned intervals?", "weight": 1.5 }, { "id": "A3", "objective": "A", "title": "Asset management", "question": "Do you maintain a complete and current inventory of the assets required to deliver your essential functions?", "weight": 1.5 }, { "id": "A4", "objective": "A", "title": "Supply chain", "question": "Do you identify, assess and manage the cyber security risks introduced by your suppliers and third parties?", "weight": 1.5 }, { "id": "B1", "objective": "B", "title": "Service protection policies and processes","question": "Are security policies and processes defined, approved, communicated and enforced across the organisation?", "weight": 1.5 }, { "id": "B2", "objective": "B", "title": "Identity and access control", "question": "Is multi-factor authentication enforced and are access rights granted on a least-privilege basis and reviewed regularly?", "weight": 2.0 }, { "id": "B3", "objective": "B", "title": "Data security", "question": "Is sensitive data protected at rest and in transit using appropriate encryption and access controls?", "weight": 2.0 }, { "id": "B4", "objective": "B", "title": "System security", "question": "Are systems securely configured, hardened and patched against known vulnerabilities within defined timeframes?", "weight": 2.0 }, { "id": "B5", "objective": "B", "title": "Resilient networks and systems", "question": "Are networks and systems designed for resilience, with tested backups and redundancy for essential functions?", "weight": 1.5 }, { "id": "B6", "objective": "B", "title": "Staff awareness and training", "question": "Do staff receive role-appropriate cyber security awareness training on a recurring basis?", "weight": 1.0 }, { "id": "C1", "objective": "C", "title": "Security monitoring", "question": "Do you collect and centrally monitor security logs from key systems to detect potential security events?", "weight": 1.5 }, { "id": "C2", "objective": "C", "title": "Proactive security event discovery", "question": "Do you proactively hunt for and investigate anomalous activity that routine monitoring might miss?", "weight": 1.5 }, { "id": "D1", "objective": "D", "title": "Response and recovery planning", "question": "Do you have a documented and tested incident response and recovery plan covering your essential functions?", "weight": 2.0 }, { "id": "D2", "objective": "D", "title": "Lessons learned", "question": "After an incident, do you conduct root-cause analysis and feed lessons learned back into your controls?", "weight": 1.0 } ], "remediation_threshold": 0.7, "_note": "If a principle's normalised score is below remediation_threshold, the mapped principle-specific remediation is queued into the roadmap with detailed mitigation guidance referencing that principle." } |