00:00:05:02 - 00:00:08:42
In this video,we will share what a good response

00:00:08:42 - 00:00:11:42
to a CAF for local governmentself-assessment might look like.

00:00:12:27 - 00:00:17:16
We will share what an assurer will look forin a self-assessment.

00:00:17:16 - 00:00:19:04
What you might include in a good response

00:00:19:04 - 00:00:23:04
to a contributing outcome or IGP.

00:00:23:04 - 00:00:26:02
The level of detail to include

00:00:26:02 - 00:00:29:20
and what evidence is appropriate.

00:00:29:20 - 00:00:31:49
So when completing

00:00:31:49 - 00:00:36:07
your self-assessment, it's a good ideato think about what an independent

00:00:36:07 - 00:00:40:54
assurer will be looking for. They will consider things like completeness.

00:00:40:54 - 00:00:43:31
So, how complete was the workbook?

00:00:43:31 - 00:00:46:49
Were responses justified with enough evidence?

00:00:46:49 - 00:00:48:28
Relevancy.

00:00:48:28 - 00:00:53:31
For example, how well the responseaddressed the contributing outcome or IGP.

00:00:53:31 - 00:00:55:19
Consistency.

00:00:55:19 - 00:00:58:19
So is the evidence providedconsistent?

00:00:58:19 - 00:01:00:54
Do the responses support the dependenciesbetween 

00:01:00:54 - 00:01:02:42
contributing outcomes

00:01:02:43 - 00:01:05:38
and IGP's.

00:01:05:38 - 00:01:07:19
And accuracy.

00:01:07:19 - 00:01:09:48
The assurer will consider your council’s self-assessment

00:01:09:48 - 00:01:12:12
against their own assessment.

00:01:12:13 - 00:01:13:48
Keeping these in mind

00:01:13:48 - 00:01:16:55
will help you producea good quality self-assessment

00:01:16:55 - 00:01:21:11
and help the assurer make recommendationsthat better meet your council's needs.

00:01:21:11 - 00:01:25:22
So let's look at the organisational

00:01:25:22 - 00:01:29:06
self-assessment workbook as an example.

00:01:29:06 - 00:01:31:01
To complete your self-assessment,

00:01:31:01 - 00:01:34:42
your CAF team will work through eachcontributing outcome, 

00:01:34:42 - 00:01:37:27
looking at each indicator of good practice

00:01:37:27 - 00:01:39:51
and consideringif your council is achieving them.

00:01:39:52 - 00:01:44:05
These build a picture of whether you are meetingthe contributing outcomes.

00:01:44:05 - 00:01:46:51
There's a column to indicatewhether you think your council

00:01:46:51 - 00:01:49:55
has achieved an outcome or met an IGP.

00:01:49:55 - 00:01:55:26
There's also a column for youto summarise your response to an outcome or IGP.

00:01:55:26 - 00:01:58:26
Remember,the assurer does not work at your council.

00:01:58:26 - 00:02:01:58
So this information is really important for themso they can understand

00:02:01:58 - 00:02:06:42
the context of your counciland the controls you have in place.

00:02:06:42 - 00:02:10:31
So a good response will

00:02:10:31 - 00:02:12:21
state whether a contributing outcome

00:02:12:21 - 00:02:15:37
or IGP is met by the council.

00:02:15:37 - 00:02:19:03
Describe how the council believes they have met

00:02:19:03 - 00:02:22:53
or have not met the contributing outcome or IGP.

00:02:22:53 - 00:02:25:09
Confirm whether your council

00:02:25:09 - 00:02:27:26
has any alternative controls in place,

00:02:27:27 - 00:02:29:55
and show how your evidence supports

00:02:29:55 - 00:02:32:24
the stated position for a contributing outcome

00:02:32:24 - 00:02:35:56
and IGP.

00:02:35:56 - 00:02:37:15
In your response,

00:02:37:15 - 00:02:40:33
explain how the contributing outcomeand IGP is met,

00:02:40:33 - 00:02:46:16
considering people, processes, technology,

00:02:46:16 - 00:02:50:36
and specific security controlsthat might be relevant.

00:02:50:36 - 00:02:55:08
So how much detail should you provide?

00:02:55:08 - 00:02:56:34
For some responses,

00:02:56:34 - 00:03:01:18
they might only be succinct, for example,where you have a clear solution in place.

00:03:01:18 - 00:03:05:47
Others might require more context.

00:03:05:47 - 00:03:08:06
Think about what the contributing outcome

00:03:08:06 - 00:03:11:06
or IGP is asking and how you meet it

00:03:11:07 - 00:03:14:02
as a council.

00:03:15:17 - 00:03:17:34
A good question to ask is

00:03:17:34 - 00:03:20:34
does the responsegive enough organisational context

00:03:20:34 - 00:03:24:19
to the external revieweroutside of your council?

00:03:26:13 - 00:03:29:13
Let's look at some examples in our workbooks.

00:03:30:17 - 00:03:36:59
So the first example is for contributingoutcome A1.a,

00:03:36:59 - 00:03:41:01
Board direction.

00:03:41:01 - 00:03:43:56
So this response provides the assurerwith the background

00:03:43:56 - 00:03:48:08
they need to understand why it's a cybersecurity risk and action to review

00:03:48:08 - 00:03:52:13
by the council's board, who is presenting to the board,

00:03:52:13 - 00:03:56:50
and where the board sits in relationto other groups in the council.

00:03:56:50 - 00:03:59:58
This addressessome of the considerations we discussed earlier

00:03:59:58 - 00:04:04:06
about people and processes.

00:04:04:06 - 00:04:05:59
However, as we said,

00:04:05:59 - 00:04:11:18
some responses to contributing outcomesmight be more succinct.

00:04:11:18 - 00:04:18:10
So if we take a look at the next principle.

00:04:18:10 - 00:04:20:46
Which is A3 - Asset management

00:04:20:46 - 00:04:25:36
and the first contributing outcome,A3.a - Asset management.

00:04:25:36 - 00:04:27:55
So in our example workbook

00:04:27:55 - 00:04:32:30
you can see we have a more succinct response.

00:04:32:30 - 00:04:33:48
However, this one still

00:04:33:48 - 00:04:37:40
captures what the outcome is asking in terms of data,

00:04:37:40 - 00:04:41:27
people, and systems.

00:04:41:27 - 00:04:44:23
Another point to bear inmind is in your responses

00:04:44:23 - 00:04:50:12
always be specific and avoid vague terms.

00:04:50:12 - 00:04:54:40
So if we look at one of the indicators of good practice

00:04:54:40 - 00:05:00:04
for this outcome.

00:05:00:04 - 00:05:01:27
And the response

00:05:01:27 - 00:05:06:48
says all assets have an inventoryand include details like asset number,

00:05:06:48 - 00:05:10:45
owner, data classification, location.

00:05:10:45 - 00:05:13:02
This information is reviewed by the Information

00:05:13:02 - 00:05:16:39
Asset Owner at least once a year.

00:05:16:39 - 00:05:16:43
asset owner at least once a year.

00:05:16:43 - 00:05:18:19
So this is specific

00:05:18:19 - 00:05:21:33
and it's telling ushow often a process is reviewed.

00:05:21:33 - 00:05:25:09
In this case once a year.

00:05:25:09 - 00:05:28:10
Try to avoid terms like regularly.

00:05:28:10 - 00:05:30:22
If you know a process is reviewed, 

00:05:30:22 - 00:05:36:00
say every three months or six months,then state that. This will provide the assurer

00:05:36:00 - 00:05:40:52
with a clearer pictureof your council's cyber resilience.

00:05:43:18 - 00:05:45:37
Another important consideration

00:05:45:37 - 00:05:51:32
is providing the evidenceto back up your responses.

00:05:51:32 - 00:05:55:55
So what evidence is appropriate?

00:05:55:55 - 00:05:58:17
Well, it should be existing documents,

00:05:58:17 - 00:06:01:17
for example policies and processes,

00:06:01:17 - 00:06:05:09
incident response plans, servicelevel agreements,

00:06:05:09 - 00:06:09:10
audits or minutes from meetings.

00:06:10:35 - 00:06:12:01
Use the evidence tracker

00:06:12:01 - 00:06:15:09
in the workbook to reference this evidence.

00:06:15:09 - 00:06:18:41
This will help the assurer find and match

00:06:18:41 - 00:06:21:21
evidence to the relevant contributing outcomes

00:06:21:21 - 00:06:24:21
and IGPs.

00:06:25:19 - 00:06:27:19
When sharing evidence,

00:06:27:19 - 00:06:31:03
remember to redact any sensitive informationin your evidence.

00:06:31:03 - 00:06:35:11
For example, IP addresses and host names.

00:06:35:11 - 00:06:38:51
Make it as easy as possiblefor the assurer to locate the evidence.

00:06:38:51 - 00:06:41:02
For example,

00:06:41:02 - 00:06:46:31
if the evidence is part of a long documentthat you are sharing,

00:06:46:31 - 00:06:49:37
then it might be a good ideato include a screenshot

00:06:49:37 - 00:06:54:18
of the relevant place in the documentwhere the evidence is located

00:06:54:18 - 00:06:57:39
that supports the contributing outcome or IGP.

00:06:59:49 - 00:07:03:59
And always use existing documents.

00:07:03:59 - 00:07:06:59
Don't create new artifacts to use as evidence.

00:07:09:52 - 00:07:10:26
You can find

00:07:10:26 - 00:07:16:11
more examples of evidence on security.gov.uk.

00:07:16:11 - 00:07:18:59
Here's an example of a page for evidence

00:07:18:59 - 00:07:21:59
to provide for organisational self-assessment.

00:07:22:49 - 00:07:26:31
Now it's up to you to decidewhat counts as evidence.

00:07:26:31 - 00:07:29:04
This list isn’t exhaustive.

00:07:29:04 - 00:07:32:15
If you have evidence from a document

00:07:32:15 - 00:07:36:16
that's not listed here,then you should consider including

00:07:36:16 - 00:07:40:27
that in your self-assessmentfor the assurer’s consideration.