Cyber Assessment Framework pilot shows great potential

Local Digital is a community of organisations working together on a shared vision: to deliver more user-centred, cost-effective local public services through open, collaborative and reusable work.

Research previously conducted by Local Digital identified that local authorities in England don’t have a clear baseline “standard for cyber security”. Over 4 months in the latter part of 2022 the organisation ran the Cyber Assessment Framework (CAF) for Local Government pilot, details of which can be seen in their report. Click here to read the report.

The CAF, which was developed by NCSC, has great potential to address the baseline standard issue whilst improving cyber resilience.

The importance of frameworks

Cyber assessment frameworks are important because they help organisations to evaluate their cyber security posture, identify vulnerabilities, and develop a targeted plan for improving their security posture. Using a cyber assessment framework helps ensure that assessments are conducted consistently and in accordance with best practices, and that the results are reliable and can be compared across different organisations. A cyber assessment framework can also help organisations to prioritise their cyber security investments and allocate resources more effectively, based on the identified risks and the organisation's risk appetite.

What are the elements of the CAF used for the pilot?

The table below shows the 4 key objectives of the CAF and the 14 associated principles.

The guidance provides 14 principles which define a range of cyber security and resilience outcomes. The approach an organisation adopts to achieve each principle is not specified or prescribed, as this will vary, according to each organisation’s circumstances. To fully satisfy the top-level objectives, the lower-level contributing cyber security and resilience outcomes will need to be achieved.

This is a very positive initiative that can only benefit the sector if moves to adopt the CAF are formalised.

PCI-DSS 4.0 Update

In our February newsletter we discussed the release of PCI-DSS version 4.0.

Our team of policy editors have recently concluded their work to review and upgrade policy content and associated mappings within IT policy management software to align with the PCI-DSS version 4.0 standard.

The “new” content comprises of 8 additional best practice statements and modifications to 51 existing best practice statements to cater for the new requirements. Monitoring and Logging Guidelines have also been updated, and there are over 630 mappings of the PCI standard to our library of best practice statements.

To discuss how Protocol Policy Systems can assist get the foundations in place for a secure computing environment, contact Steve Macmillan.

Click here to view a demo video of the IT Policy Management Software and Service