Useful links and resources

Managing security risk (objective A)

Make sure you have appropriate structures, policies and processes in place to manage security risks.

Governance (A1)

Resources on principle A1 – Governance:

• About principle A1: Governance (NCSC.gov.uk)
• Risk management guidance on the governance of cyber risk (NCSC.gov.uk) – what to consider when developing a security and governance management framework that works for your organisation
• Cyber security toolkit for boards (NCSC.gov.uk) – resources to support essential cyber security discussions between a board and their technical experts

Risk management (A2)

Resources on principle A2 – Risk management:

• About principle A2: Risk management (NCSC.gov.uk)
• Guidance on risk management (NCSC.gov.uk) – outlines the fundamentals of risk management, describing techniques you can use to manage risks
• National Protective Security Authority: protective security risk management (NPSA.gov.uk) – an approach for stakeholder engagement and security risk assessment to support effective decision making

Asset management (A3)

Resources on principle A3 – Asset management:

• About principle A3: Asset management (NCSC.gov.uk)
• Asset management, one of the NCSC’s 10 Steps to Cyber Security (NCSC.gov.uk) – understanding critical services, functions and identifying the associated data and technology dependencies for prioritising their protection

Supply chain (A4)

Resources on principle A4 – Supply chain:

• About principle A4: Supply chain (NCSC.gov.uk)
• Supply chain security guidance (NCSC.gov.uk) – an overview of supply chain risks and indicators of good practice
• Cloud security principal guidance (NCSC.gov.uk) – consider supply chain risk exposure when configuring, deploying and using cloud services
• Supplier assurance questions (NCSC.gov.uk) – increase your confidence in your suppliers’ security posture and understand maturing of their controls

Minimising the impact of cyber security incidents (objective D)

Minimise the adverse impact of a cyber incident on your essential functions.

Response and recovery planning (D1)

Resources on principle D1 – Response and recovery planning:

• About principle D1: Response and recovery planning (NCSC.gov.uk)
• Cyber security toolkit for boards – planning your response to cyber incidents (NCSC.gov.uk) – get senior leader buy-in for incident planning, management and exercising
• The NCSC’s Exercise in a Box (NCSC.gov.uk) – helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment
• Effective steps to cyber exercise creation (NCSC.gov.uk) – advice on how to create cyber incident response exercises

Lessons learned (D2)

Learn about incident management and understanding the root cause of a risk.

Resources on principle D2 – Lessons learned:

• About principle D2: Lessons learned (NCSC.gov.uk)
• Incident management, one of the NCSC’s 10 Steps to Cyber Security (NCSC.gov.uk)

Protecting against cyber attack (objective B)

Make sure you have proportional security measures in place to protect your network and information systems from cyber attacks.

Service protection policies and processes (B1)

Resources on principle B1 – Service protection policies and processes:

• About principle B1: Service protection policies and processes (NCSC.gov.uk)
• The NCSC’s ‘You shape security’ guidance (NCSC.gov.uk) – advice on using multiple channels of communications to engage with staff and discuss existing security policies

Identity and access control (B2)

Resources on principle B2 – Identity and access control:

• About principle B2: Identity and access control (NCSC.gov.uk)

Resources on identity and access management, password strategies and common approaches to designing IT systems and the risks associated with each system:

• Introduction to identity and access management (NCSC.gov.uk)
• Guidance on password administration for system owners (NCSC.gov.uk)
• Guidance on systems administration architectures (NCSC.gov.uk)

Resources on verifying a user’s identity, issuing credentials, authentication and access management:

• The National Protective Security Authority’s advice on physical access security (NPSA.gov.uk)
• Advice on implementing multi-factor authentication for online services (NCSC.gov.uk) – protect against password guessing and theft on online services
• Guidance on understanding biometric recognition technologies, and how to build secure authentication systems (NCSC.gov.uk)
• Device security guidance on enterprise authentication policy for configuration, managing and use of corporate devices (NCSC.gov.uk)

Data security (B3)

Resources on principle B3 – Data security:

• About principle B3 – Data security (NCSC.gov.uk)

Resources on when to conduct a risk assessment:

• Cloud Guide for the Public Sector – offshoring and data residency (GOV.UK) – consider the risks and implications of processing and storing government data overseas
• Securing your information for ‘official’ government data (GOV.UK) – information security of ‘official’ government data

Resources on protecting data:

• Guidance on protecting data in transit (NCSC.gov.uk) – data should be protected from interception, traffic replay, manipulation or jamming
• The NCSC’s 10 Steps the Cyber Security – Data security (NCSC.gov.uk) – data at rest should be protected against unauthorised access, tampering or deletion
• The NCSC’s principles of protecting bulk personnel data (NCSC.gov.uk) – good practice for the identification and protection of personal data

Resources on device and data security:

• Guidance on asset protection and resilience (NCSC.gov.uk)
• Guidance on device security (NCSC.gov.uk) – advice on choosing, configuring and using devices securely
• Guidance on Bring your own device (BYOD) (NCSC.gov.uk) – enabling staff to use their own smartphones, tablets, laptops to access work information
• Guidance on the secure sanitisation of storage media (NCSC.gov.uk) – why sanitisation is necessary, the risks to manage, and how to sanitise affordably

System security (B4)

Resources on principle B4 – System security:

• About principle B4: System security (NCSC.gov.uk)
• The NCSC’s secure design principles (NCSC.gov.uk) – includes the secure design, management and the configuration of a system throughout its lifecycle
• The NCSC’s 10 Steps to Cyber Security – Architecture and configuration (NCSC.gov.uk) – how to design, build, maintain and manage systems securely
• Guidance on device security (NCSC.gov.uk) – how to choose, configure and use devices securely
• Guidance on vulnerability management (NCSC.gov.uk) – how to keep your systems protected throughout their lifecycle
• Guidance on mitigating malware and ransomware attacks (NCSC.gov.uk) – how to defend your organisation against malware or ransomware attacks
• Guidance on secure development and deployment (NCSC.gov.uk) – 8 principles to help you improve and evaluate your development practices, and those of your suppliers
• Guidance on penetration testing (NCSC.gov.uk) – how to get the most from penetration testing

Useful NCSC security tools:

• Protective Domain Name Service (NCSC.gov.uk) – prevents access to domains known to be malicious
• Web Check (NCSC.gov.uk) – scans an organisation’s URLs to identify website vulnerabilities
• Mail Check (NCSC.gov.uk) – provides protection against email spoofing and secures data in transit
• Vulnerability disclosure toolkit (NCSC.gov.uk) – assists in the development of a vulnerability disclosure process

Resilient networks and systems (B5)

Resources on principle B5 – Resilient networks and systems:

• About principle B5: Resilient networks and systems (NCSC.gov.uk)

Resources to make sure the essential functions performed by your organisation are resilient to cyber attack, and that business continuity and disaster planning plans are in place:

• Guidance on mitigating malware and ransomware attacks (NCSC.gov.uk) – includes identifying critical systems and data, developing an incident management and recovery plan
• Guidance on preventing lateral movement (NCSC.gov.uk) – how system owners can prevent and detect lateral movement within their enterprise networks
• Guidance to help organisations understand and mitigate DoS attacks (NCSC.gov.uk) – covers attack vectors, how to implement network defences and how to deploy mitigations in the event of an attack
• The NCSC’s cloud security principle on asset protection and resilience (NCSC.gov.uk) – how the use of availability zones and geographic regions can minimise the impact of outages
• The NCSC’s 10 Steps for Cyber Security – data security (NCSC.gov.uk) – how to protect data where it is vulnerable

Staff awareness and training (B6)

Resources on principle B6 – Staff awareness and training:

• About principle B6: Staff awareness and training (NCSC.gov.uk)
• The NCSC’s You Shape Security guidance (NCSC.gov.uk) – provide people who support your essential functions with all they need to carry out their job
• Introduction on Secure by Default (NCSC.gov.uk) – take the burden of security risks off end users and treat root causes of issues
• Guidance on engagement and training (NCSC.gov.uk) – support your staff to obtain the skills and knowledge required to work securely
• Guidance on maintaining a sustainable strengthened cyber security posture – (NCSC.gov.uk) – avoid staff burnout during an extended period of heightened cyber threat

Related courses and services:

• Top tips for staff training course (NCSC.gov.uk)
• Report a scam email service (NCSC.gov.uk)
• Takedown Service (NCSC.gov.uk) – working with hosting providers to remove malicious sites and infrastructure from the internet

Detecting cyber security events (objective C)

Make sure security defences remain effective and you can detect cyber security events affecting, or with the potential to affect, your essential functions.

Security monitoring (C1)

Resources on principle C1 – Security monitoring:

• About principle C1: Security monitoring (NCSC.gov.uk)

Resources on building good logging practices to understand, trace and react to system and security events:

• Guidance on logging and monitoring (NCSC.gov.uk) – detect events that could be deemed as a security incident, and respond accordingly in order to minimise the impact
• Introduction to logging for security purposes (NCSC.gov.uk) – devise an approach to logging that will help answer some of the typical questions asked during a cyber incident
• Device security guidance for device logging on multiple operating systems (NCSC.gov.uk) – how to choose, configure and use devices securely, including mobile devices
• Secure design principle on making making compromise detection easier (NCSC.gov.uk) – give yourself the best chance of spotting attacks

Resources on threat intelligence:

• The Home Office’s Cyber Threat Intelligence in Government: A Guide for Decision Makers and Analysts (PDF) – an end-to-end walkthrough of how government organisations should plan, build and manage their cyber threat intelligence capabilities
• About the cyber security information sharing partnership (CISP) (NCSC.gov.uk)
• Guidance on Security Operations Centre (SOC) operation models (NCSC.gov.uk) – design a SOC and security monitoring capability proportionate to the threat you face, your resources and assets

Proactive security event discovery (C2)

Resources on principle C2 – security event discovery:

• About principle C2: Security event discovery (NCSC.gov.uk)
• Guidance on assessing intelligent tools for cyber security (NCSC.gov.uk) – advice on using an off the shelf security tool that employs AI as a core component

More resources

• Government Cyber Security Strategy 2022 – 2030 (GOV.UK)
• How we developed the CAF for local government (localdigital.gov.uk)
• The Local Government Association (LGA) Cyber 360 Framework (LGA)

Contact the CAF for local government team

Email us to ask a question or share feedback.