Identify your critical systems
After you have defined your essential services, identify potential critical systems for your CAF for local government self-assessment.
This involves:
- Identifying your critical systems
- Documenting critical systems in your scoping workbook
- Prioritising your critical systems
- Reviewing your shortlist as a team
- Sharing your scoping workbook with your independent assurer for feedback
About critical systems
Your critical systems are the network and information systems that your essential services depend on.
These are the initial critical systems that you have identified as being important to assure. If these are compromised, it could result in severe financial, legal, regulatory, reputational or safety consequences for your council.
Making sure your critical systems have cyber resilience against known threats allows your essential services to operate in a safe and secure manner.
Examples of critical systems
The CAF for local government can be applied to all types of critical systems including on-premises hosted, cloud, hybrid systems and commercial (third-party) hosted. Examples of critical systems may be:
- systems that directly support your organisational mission – for example, social care systems, revenue and benefits systems, electoral systems
- corporate or enterprise systems and networks that support or enable other mission critical systems – for example, hosting platform or network, Active Directory
- corporate or enterprise systems that the council may deem critical for its day-to-day operation – for example, Microsoft Office 365, telephony, corporate website
- systems that are hosted externally including by commercial (third-party) providers or other councils, for example as part of shared services
Your chosen critical systems may support:
- revenue and benefits
- social care
- housing
- registry services
- finance
- your corporate systems
How to identify your critical systems
It is important to spend time scoping your critical systems at this stage, so that your self-assessment focuses on protecting the highest priority systems for your organisation.
You may already have a methodology to identify your critical systems, if not we recommend using the five lens approach.
This is based on a model used by the GovAssure Cyber Assessment Framework for central government.
This method asks you to review through five lenses:
- Essential services
Describe one of your identified essential services that supports your council’s mission - Functions
Break down the essential service into its key functions - Core underlying infrastructure
Identify relevant underlying infrastructure such as network or cloud hosting - Systems
Identify prioritised systems or applications required to deliver this essential service - Sites and locations
Identify hosting locations or sites related to your systems.
Read a step by step guide on how to apply the five lens approach to your essential services.
Considering commercial and shared services and systems
Your identification activities might determine that a commercial (third-party) or shared service that is externally managed and hosted is critical.
Your council can consider a commercial system in-scope for your CAF assessment if it:
- supports an essential service
- forms part of another identified critical system
How you might scope a commercial or shared service
When you set your scope for a commercial or shared service, it is important to document:
- what your council has visibility of
- what you will be able to assess
Think about:
- the service level agreement your council has with the commercial (third-party) supplier
- where data will be stored
- availability of data between the sites
- any administrative permissions your council has
- if applications are protected by web application firewalls (WAFs)
The responsibility for the implementation and management of security controls will be different for a commercial or shared service.
These will need to be agreed between your council and the supplier – a managed service provider, cloud service provider or even another council.
These responsibilities should be factored into contracts and your council should confirm that your supplier is meeting their contractual requirements.
Activities that can support identifying your critical systems
If you used or referenced a business impact assessment (BIA) or equivalent exercise when identifying your essential services, it is good practice to revisit this.
A business impact assessment looks at the impact on your organisational objectives, as well as any financial, legal, regulatory, reputational, danger to life and safety impacts. This helps you identify the impact a failure of one or more systems will have on your organisation.
Find out more about completing a business impact assessment.
You could create or use an existing asset inventory to identify which systems your council uses.
This is a useful activity to:
- identify system owners you might need to collaborate with
- see dependencies
- understand all council systems
If creating an asset inventory from scratch, include:
- system name
- system owner
- high-level technical summary and description of system
- summary of the service or business process the system supports
- how critical the service or function is for your council
Document critical systems in your scoping workbook
Update your CAF scoping workbook with the critical systems you have identified using the five lens approach, equivalent method, and other activities that may support you.
Include the:
- name of your critical system
- name of the essential service it supports
- core IT infrastructure underpinning the service – for example, network or cloud provider
- breakdown of backend systems or applications, where applicable
- team’s decision on whether this system is in scope
The critical systems you identify gives you a list of of systems potentially in scope that your team can prioritise.
Prioritise your critical systems