The GovAssure Scoping Document is a foundational document and deliverable for the whole GovAssure process. It will be owned by you as an organisation. You will be responsible for completing this to record discussions and decisions taken by the organisation to identify and define essential services and ‘in-scope’ critical systems for GovAssure providing an evidence-based justification of the scope of GovAssure. Understanding the operating context of an organisation and the desirable data it holds helps to understand the possible threat actors, levels of sophistication and their motivation for wanting to target your organisation. This information not only helps an organisation to better protect themselves by implementing appropriate and proportionate risk-based controls, it helps to minimise the impact of cyber security incidents.
The Scoping Document is divided into the following stages: - Stage 1 – Organisational context and services (see 1.4) -- Part A: Organisational mission, objectives and priorities -- Part B: Identifying and defining the essential services - Stage 2 – In-scope systems and assignment to the CAF profile (see 1.5) -- Part A: Identifying and defining the critical systems -- Part B: In-Scope critical systems for GovAssure and assigning the target CAF profile
The Scoping Document will be routinely referred to throughout the end-to-end GovAssure process. It is important because it will be used to drive the scope of the Stage 3: CAF self-assessment as well as Stage 4: Independent assurance review and Stage 5: final assessment and targeted improvement plan. The independent assurance reviewers will also use it to help to understand your organisation, its context, the risk appetite set by the organisation. This will support the reviewer to provide an appropriate and proportionate view of your control environment as part of their independent review of your CAF return.
In the following sections, Stage 1: Part A and Part B will be covered in detail. Part A focuses on the organisations strategic delivery context, threat landscape and security posture. Part B focuses on the organisation’s essential services and the systems underpinning them.
An example of a completed GovAssure Scoping Document is available to support this process and understand the expected level of detail, using the fictitious government department, the ‘Department of Artificial Intelligence and Robotic Technologies’ (DAIRT).
1.4 GovAssure scoping: Stage 1 - Part A: Organisational mission, objectives and priorities Where to document the output of this step: GovAssure Scoping Document (Stage 1 – Part A: Organisational mission, objectives and priorities) Resource material: DAIRT GovAssure Scoping Document (completed example) Stage 1 - Part A of the ‘GovAssure Scoping Document’ - will encourage the organisation to think about and document the following: Mission – What is the organisation trying to achieve? How does it support the delivery of Government services? Objectives – What are the objectives to deliver that mission? Priorities – What are the organisation’s top priorities? Threat landscape – Who may seek to target the organisation? Why? What could go wrong if they were successful? Cyber risk appetite – What is the cyber risk appetite for the organisation? (It is recognised that not all organisations will have a formally documented statement). Government organisations vary hugely in mission, services, complexity and threat. A statement of your organisation’s context and posture will be vital for scoping GovAssure correctly, for selecting the appropriate target CAF profile (Baseline or Enhanced) and for helping the assurance reviewer understand your challenges and chosen controls. The following questions and prompts should be considered when assessing the current organisational posture as part of the scoping exercise. Overarching Organisational Mission
At the highest level, what does the organisation do? Is the organisation a recognisable part of the national security apparatus? Is the broader mission a target for activists? Are the outputs a possible target for fraudsters? Threat Landscape Have you or a third party characterised the threats to the organisation? Which actor groups have you assessed as a threat? What incidents has the organisation experienced and what lessons have you detailed? Do you incorporate this analysis in the choice of controls?
Threat Surface How dispersed and accessible is the estate? Do you have overseas connectivity? Does the enterprise have externally facing public services? Are the organisation's premises accessible to the public? What are the most desirable information assets such as large PII or security data sets? Are you reliant on third parties for IT provision or host to other organisations?
Known Risks and stated Risk Appetite How does the organisation express and measure risk at a strategic level? What are the priority organisational risks in Cyber? Do you have a stated risk appetite and how does this apply to the way you design and deliver security controls around the estate?
Existing Cyber Security Assurance
What existing assurance and testing do you employ and what are the findings from e.g. DHSC, Red teaming exercises, Table Top Exercises, external benchmarking or gap analyses?
OFFICIAL