Where to document the output of this step: Stage 2 – Part A of the GovAssure Scoping Document – Identifying and defining the critical systems
Resource material: Five Lens Model: Thinking through essential services and critical systems (a worked example)
Stage 2 - Part A: focuses on the identification and prioritisation of the core underlying infrastructure (Lens 3) and systems (Lens 4) that underpin the essential services, as described in the Five Lens Model: ‘Essential services and systems’.
Stage 2 - Part A: builds on the activities completed as part of Stage 1 (Lens 1 and 2), and should only start once the organisations essential services and functions have been defined and prioritised.
Identifying the systems on which essential services rely is a complex process that will need to consider a range of factors. This includes, for example, the core underlying infrastructure (Lens 3), the systems environment and supply chain, and interconnectivity between systems.
As identified elsewhere in this document, this is another example of an area where an organisation may well have a number of existing documents that can help to inform a high-level view of the network and underlying critical systems
When thinking about essential services consider the critical infrastructure services, Operators of essential services (OES) and fundamental organisational outputs that sit under the essential services. Identify which systems are in scope. For Government Critical National Infrastructure(CNI) these are systems characterised as Government Sector Critical National Infrastructure according to the CNI criteria are automatically in scope for GovAssure and Considered critical. The Enhanced profile will be applied to CNI systems. For Operations of Essential Services these are systems which support operators of essential services. For systems supporting fundamental organisational outputs are systems that support the mission and day-to-day business of the organisation, which the organisation must deliver and without which it would not be able to continue to operator, for example primary departmental corporate networks.
Once you have developed the essential systems and functional view as part of Stage 1, you should think about the relevant underlying infrastructure - such as the network or cloud hosting arrangements employed by the organisation to deliver the essential service. This should ideally be aligned to a reference architecture model. The Lens 3 view should clearly identify the groups of network and information systems on which the essential service relies, or which are used for the provision of an essential service and those that are not - including connectivity across those boundaries. In addition, internal and external access points into the organisation’s network and information systems should be captured.
It is useful to be able to illustrate this view using systems architecture and data flow diagrams to support the scoping exercise.
Step 2 involves identifying the relevant and prioritised critical systems sitting on the underlying infrastructure (Lens 3) that are required to deliver the functions underpinning the essential services.
Government CNI should be considered automatically in-scope for GovAssure. Any CNI exclusions should be discussed with GSG.
Once the organisation has developed the view of essential services (Lens 1) to systems (Lens 4), it should then identify the main sites or locations (the physical estate) that are required for the delivery of the essential services, for example physical hosting locations. This view should consider the interconnected nature of sites or locations on which the essential services rely. If there are available information sources that describe the criticality of locations to the running of the essential service, then these are useful inputs.
For the purposes of the CAF self-assessment, the organisation will need to be pragmatic around the number of physical locations and consider logical groupings to manage situations where there are large numbers of sites present. Identifying sites is also important to consider their physical access security arrangements where these have a direct relationship to supporting the delivery of essential services.
You should document the results in the GovAssure Scoping Document, Stage 2 - Part A: Identifying and Defining the critical systems.