Identify your essential services
An important part of setting the scope of CAF for local government self-assessment is defining your organisational context and identifying your council’s essential services.
This involves:
- Discussing and documenting your organisational context
- Defining your organisation’s mission and priorities
- Considering your threat landscape
- Considering your risk appetite
- Identifying your essential services
- Completing a business impact assessment (optional)
Discuss and document your organisational context
Documenting your council’s mission, objectives and priorities in your CAF scoping workbook (.xlsx, 74KB) is the first step to identifying your essential services and the critical systems that underpin them.
Your CAF lead, approver and collaborators should reflect on and document:
- your council’s mission
- key objectives that help you deliver that mission
- your organisation’s top priorities
- your threat landscape – including who could attack your organisation and why, and what could happen if they were successful
- the cyber risk appetite in your council
This will also give your independent assurers an understanding of your organisation’s context so they can determine if security controls are appropriate and proportionate.
First, look at your council’s:
- annual report
- mission statement
- organisation objectives
- any legal or regulatory obligations
- any frontline services you provide to citizens
To define your mission, consider:
- core issues your council addresses
- who your council serves
- your council’s key responsibilities and functions – including any specific roles, duties, or obligations the council must fulfil
- your council’s short-term and long-term goals
- outcomes your council aims to achieve and how you will measure success
- core values that guide the council’s work and how these influence your decision-making
- any partnerships or collaborations that are essential for your council
- any major challenges or opportunities your council faces
To define your objectives, consider:
- your council’s objectives for the next year and how they support your overall mission
- what outcomes or results you expect from these objectives
- how they align with your council’s strategic priorities
- your council’s short-term and long-term strategic priorities
To define your priorities, consider:
- what criteria or factors were considered when selecting your top priorities
- how these priorities were defined – if they were identified using a process or framework, and if they have been reviewed by stakeholders
- how these priorities align with your council’s mission and strategic plan
Your key mission and priorities could involve:
- social services
- children and families’ support
- council tax
- housing
- crime prevention
- education and schools
- environmental health
- leisure and recreation
- business, licensing and regulation
- transportation
- waste management
- street cleaning and maintenance
- planning and development control
Discuss your organisation’s current threat landscape and any mitigations you currently have in place. If there is a multi-threat picture, list the different types. Consider:
- who could attack you – are there any significant external threats?
- why you could be a target – are there any political, economic, social or environmental factors that pose risk?
- what could go wrong if they were successful
- if there have been any recent incidents
- how you monitor emerging threats
If you have any threat assessments, you can reference them in your organisational scope.
It is useful to summarise your organisation’s cyber risk appetite, including:
- any recent cyber security incidents and how you managed them
- what cyber risks are most relevant to your council
- the potential impact of these cyber risks on your operations, finances and reputation
- what level of cyber security risk you are willing to take responsibility for
- any areas in the council that have a higher or lower tolerance for risk
- any legal or regulatory requirements your council must comply with for cyber security
The NCSC has published a blog post on risk appetite, including how to define your organisation’s risk appetite.
How to identify your essential services
Once you understand your council’s mission, you can determine the essential services that allow your organisation to deliver this.
Essential services are the services that allow your council to operate and achieve your mission and objectives.
They include:
- services your citizens rely on every day
- operators of essential services – services that are essential for the maintenance of vital societal or economic activities, such as energy, transport, health, water or digital infrastructure
- fundamental organisational mission and outputs – services that support the mission and day to day business of your council.
Essential services, and the number of them you could identify during scoping, will vary from council to council.
It depends on how many are required to meet your organisation’s mission and objectives.
The Cyber Assessment Framework is designed to help you protect these essential services.
Identifying and scoping these is an important step and should be an organisation wide activity.
Make sure this involves your CAF lead, collaborators and system mappers.
Completing a business impact assessment is an example of good practice.
It is not compulsory, but you can use it to:
- validate essential services and the critical systems that they depend on
- identify potential consequences of disruptions, such as cyber attacks
- determine acceptable mitigation arrangements and recovery requirements
Business impact assessments look at the impact on your organisational objectives, as well as any financial, legal and regulatory, reputational and safety impacts.
This information is useful for setting your CAF scope as it helps you identify what systems could have the biggest effect on your organisation.
Example:
Your council has identified ‘revenue and benefits’ to be an essential service. The critical function would be ‘to process payments to local businesses, council tax payers and low income households on a weekly basis.’This is a ‘fundamental organisational mission and output’ service.
Scoping essential services can be complex, so make sure you discuss this with your collaborators and system mappers.
Next steps
You can move on to identifying your critical systems once you have a clear understanding of:
- your council’s mission, objectives and priorities
- the essential services and functions that support these
Identify your critical systems