Identify your critical systems
After you have defined your essential services, you can start to identify potential critical systems for your CAF for local government self-assessment.
This involves:
- Identifying your critical systems
- Documenting your critical systems in your scoping workbook
- Prioritising your critical systems
- Reviewing your shortlist as a team
- Finalising and submitting your scoping workbook
About critical systems
Your critical systems are the network and information systems that your essential services depend on.
These are the systems you identify as being most important to protect. If compromised, they could result in severe financial, legal and regulatory, reputational and safety consequences for your organisation.
Making sure your critical systems have cyber resilience against known threats allows your essential services to operate in a safe and secure manner.
Examples of critical systems
The CAF can be applied to all types of critical systems including on-premises hosted, cloud, hybrid systems and commercial (third-party) hosted.
Critical systems may be:
- systems that are hosted externally including by commercial (third-party) providers of other councils, for example as part of shared services
- systems that directly support your organisational mission – for example, social care systems, revenue and benefits systems, electoral systems
- corporate or enterprise systems and networks that support or enable other mission critical systems – for example, hosting platform or network, Active Directory
- enterprise or corporate systems that the council may deem critical for its day-to-day operation – or example, Microsoft Office 365, telephony, corporate website
Your chosen critical systems may underpin:
- your corporate systems
- finance
- housing
- registry services
- revenue and benefits
- social care
How to identify your critical systems
It is important to spend time scoping your critical systems at this stage, so that your self-assessment focuses on protecting the highest priority system for your organisation.
A method we recommend to assess the criticality of your systems is the five lens approach.
This is based on a model used by the GovAssure Cyber Assessment Framework for central government.
This method asks you to review through five lenses:
- Essential services
Describe one of your identified essential services that supports your council’s mission - Functions
Break down the essential service into its key functions - Core underlying infrastructure
Identify relevant underlying infrastructure such as network or cloud hosting - Systems
Identify prioritised systems or applications required to deliver this essential service - Sites and locations
Identify hosting locations or sites related to your systems.
Read a step-by-step guide on how to apply this to your essential services.
A commercial (third-party) or shared service that is externally managed and hosted will be considered in-scope for your CAF assessment if it:
- supports an essential service
- forms part of another identified critical system
How you might scope a commercial or shared service
When you set your scope, it is important to document what you have visibility of and what you are able to assess for a commercial or shared service.
The responsibility for the implementation and management of security controls will be different for a commercial or shared service. These will need to be agreed between your council and the supplier – a managed service provider, cloud service provider or even another council.
These responsibilities should be factored into contracts and your council should confirm that your supplier is meeting their contractual requirements.
Activities that can support identifying your critical systems
It is good practice to revisit the business impact assessment you created or updated as part of scoping your essential services.
A business impact assessment looks at the impact on your organisational objectives, as well as any financial, legal and regulatory, reputational and safety impacts. This helps you identify what systems could have the biggest effect on your organisation.
It could be useful to create an inventory to identify which systems your council uses.
This is a useful activity to:
- identify system owners you might need to collaborate with
- see dependencies
You could include:
- system name
- system owner
- summary of the service or key business process the system supports
- how critical the service or function is for your council
Consider if an attack on this system would have:
- a confidentiality impact – consider the impact data loss or compromise would have
- an integrity impact – consider the impact of inaccurate data and processing
- an availability impact – consider the impact of the system being unavailable and any contingencies in place
Document critical systems in your scoping workbook
Update your CAF scoping workbook with the critical systems you have identified through the five lens method.
Include the:
- name of your critical system
- name of essential service it supports
- core IT infrastructure underpinning the service (for example, network or cloud provider)
- breakdown of backend systems/applications (where applicable)
- team’s decision on whether this system is in scope
Documenting the critical systems you identify gives you a shortlist of systems in scope that your team can prioritise.
It also gives important context to your independent assurer. It will support the assurer to determine whether the security controls in place are appropriate and proportionate for the level of risk exposure.
Prioritise your critical systems