Identification and assignment of GovAssure roles and responsibilities and RASCI completion

Where to document the output of this step: GovAssure Responsible, Accountable, Supporting, Consulted and Informed (RASCI) Template Resource material: Completed RASCI Template (example)

GovAssure will require support from a number of roles and governance groups within the organisation and should not be seen as the sole responsibility of the Chief Information Security Officer (CISO) and Cyber Security Managers, or equivalents. It is important to identify an individual who is accountable for GovAssure as well as an individual who can act as a single point of contact and coordinate communications across the organisation, while facilitating engagement with GSG. It is strongly recommended that the organisation identifies and allocates two roles:

GovAssure Accountable Officer:

The GovAssure accountable officer is a single point of contact with the appropriate level of seniority, to provide engagement across the department and ensure access and participation from all relevant teams required for completion of GovAssure. They will act on behalf of the Government organisation to ensure adherence to the GovAssure process and be responsible for completion and authorisation of all GovAssure deliverables. The GovAssure accountable role is usually allocated to the individual who is responsible for the security of network and information systems on which the essential services rely. For example, a CISO or equivalent role.

The aim of the role is to improve organisational penetration, driving engagement and communications and increasing traction across the GovAssure lifecycle.

GovAssure Coordination lead:

The GovAssure coordination lead role supports the GovAssure Accountable Office role supporting the day-to-day facilitation, coordination, communication and engagement of GovAssure.

It is important that organisations recognise that GovAssure is ‘essential services’ focused, taking a top down view in order to understand and prioritise systems critical to the successful operation of the organisation. This will require the involvement of multiple roles (including Chief Risk Officers, or equivalents, and system owners) to support delivery throughout the process. Important to GovAssure and Stages 1 and 2 is also having a good understanding (and, ideally, a formal record) of your systems and defined system owners. Organisations will be supplied with a RASCI template to help them identify the roles required to deliver the end-to-end GovAssure process. This is a recommended first step to understand and consider who within your organisation should be involved in the end-to-end GovAssure process.

Completion of the RASCI for GovAssure

We have developed a GovAssure specific RASCI matrix as a tool aligned to the stages of GovAssure and its sub-component parts. This will support the identification of all the roles and responsibilities of each stakeholder involved and who will make decisions throughout GovAssure process. The template RASCI matrix is available on the GovAssure section of security.gov.uk.

• R = Responsible: Those responsible for completely an assigned task
• A = Accountable: Those who are accountable for the task being completed appropriately
• S = Supporting: Those who provide assistance to the responsible members
• C = Consulted: Those who are actively engaged in the task whilst providing valuable input
• I = Informed: Those who are not directly involved in the task but require regular updates.

We suggest that the initial priority should be to complete and agree the RASCI matrix. This will ensure the appropriate level of engagement, communications and support for those who will be involved in GovAssure. When populating the RASCI matrix, the following questions should be considered:

• Who is the primary point of contact for GovAssure? Is this the individual coordinating the internal process?
• How are you going to approach and inform system owners about their responsibilities for GovAssure?
• Which Senior Leaders need to be made aware of the GovAssure review taking place within the organisation?
• Are important decisions mapped out and are the relevant decision makers aware of the ask?
• Are the appropriate governance boards informed about GovAssure?

The RASCI matrix has been organised according to the five stages of GovAssure and the sub-tasks to be completed as part of each stage. It also includes suggestions for who we would envisage being responsible, accountable, supporting, consulted or informed in each case. The template RASCI has been designed to be reasonably generic and organisations are expected to consider the roles within their organisation and adapt this to fit the needs of their organisation.

In the following sections, this guidance will cover the initiation of the GovAssure scoping exercise, which includes the completion of Part A and Part B of the Scoping Document for Stage 1 of GovAssure. Part A focuses on the organisation’s strategic delivery context, threat landscape and security posture. Part B focuses on the organisation’s essential services and the critical systems underpinning them.

Existing sources of information to use on the GovAssure journey

Where possible, use existing sources of information to support you through the GovAssure process. This will support the thinking around the organisational context and essential services and the links to underpinning critical systems. For example, organisational outcome delivery plans, business continuity information and any exercises that may present or explain the flow of personally identifiable information (PII) within your organisation, as well as any other work that may have been commissioned previously to better understand and illustrate the essential services delivered by your organisation.

Back to Stage 1   Move on to Stage 2