00:00:04:27 - 00:00:05:26 This video will 00:00:05:26 - 00:00:09:00 look at what critical systems are and how you identify them. 00:00:09:19 - 00:00:12:10 So, what are critical systems? 00:00:12:10 - 00:00:15:22 Well, they are the network and information systems 00:00:16:02 - 00:00:19:02 that your council's essential services rely on. 00:00:21:08 - 00:00:23:21 If a critical system is compromised, 00:00:23:21 - 00:00:26:21 there could be severe consequences for your council. 00:00:27:08 - 00:00:29:23 These could be financial, 00:00:29:23 - 00:00:31:09 legal, 00:00:31:09 - 00:00:34:09 regulatory, reputational 00:00:34:28 - 00:00:37:28 or safety consequences. 00:00:38:14 - 00:00:41:03 And as part of the CAF for local government, 00:00:41:03 - 00:00:43:27 you document your critical systems in the scoping 00:00:43:27 - 00:00:46:27 workbook, 00:00:47:00 - 00:00:48:00 and prioritise 00:00:48:00 - 00:00:51:00 the ones that are in scope for the self-assessment. 00:00:51:07 - 00:00:54:04 These systems must come from the essential services 00:00:54:04 - 00:00:57:04 you identified earlier in the scoping process. 00:00:58:00 - 00:01:00:26 So, let's take a look at some examples 00:01:00:26 - 00:01:03:26 of critical systems. 00:01:04:14 - 00:01:06:01 These could be systems 00:01:06:01 - 00:01:09:01 that support your organisational mission, 00:01:09:12 - 00:01:11:24 corporate or enterprise systems and networks 00:01:11:24 - 00:01:16:06 that support mission critical systems, for example, Active Directory. 00:01:17:19 - 00:01:18:13 Corporate or 00:01:18:13 - 00:01:21:25 enterprise systems that are critical for your day to day operations, 00:01:22:15 - 00:01:25:02 for example, your corporate website 00:01:25:02 - 00:01:29:01 or systems that are hosted externally by third parties 00:01:29:01 - 00:01:32:01 or another council as part of a shared service. 00:01:33:10 - 00:01:35:07 If your council does consider 00:01:35:07 - 00:01:39:18 a third party or shared system in scope, you will need to document 00:01:40:00 - 00:01:43:26 what your council has visibility of, and what you will be able to assess. 00:01:45:24 - 00:01:48:26 So, how do you identify your critical systems? 00:01:49:06 - 00:01:54:00 Well, a good question to ask is if the council systems failed, 00:01:54:11 - 00:01:57:06 which would you restore first? 00:01:57:06 - 00:01:59:13 And to help you answer this question, 00:01:59:13 - 00:02:02:13 we recommend the five lens approach. 00:02:02:27 - 00:02:06:10 This method asks you to review your essential services 00:02:06:18 - 00:02:10:09 for five lenses to identify those critical systems. 00:02:11:11 - 00:02:13:11 The first lens 00:02:13:11 - 00:02:16:01 is the way you describe one of your identified 00:02:16:01 - 00:02:19:04 essential services that supports your council's mission. 00:02:20:03 - 00:02:21:14 So in this example, 00:02:21:14 - 00:02:24:14 the council has identified revenue and benefits. 00:02:25:11 - 00:02:29:05 In the next lens, you break down the essential service 00:02:29:05 - 00:02:32:05 into its key functions. 00:02:33:01 - 00:02:34:00 Next, 00:02:34:00 - 00:02:36:29 identify the underlying infrastructure, 00:02:36:29 - 00:02:39:29 such as network or cloud hosting. 00:02:41:08 - 00:02:44:08 In the fourth lens, identify 00:02:44:21 - 00:02:47:26 prioritise systems or applications required 00:02:47:26 - 00:02:50:26 to deliver the essential service. 00:02:51:18 - 00:02:54:01 And finally, in the fifth lens, 00:02:54:01 - 00:02:56:29 identify hosted locations or sites 00:02:56:29 - 00:02:59:29 related to your systems. 00:03:00:03 - 00:03:04:04 So in this example, the council has now identified 00:03:04:04 - 00:03:07:06 their top priority critical systems to support 00:03:07:06 - 00:03:10:06 revenue and benefits. 00:03:10:12 - 00:03:12:02 You should repeat this process 00:03:12:02 - 00:03:15:02 for each essential service, 00:03:15:11 - 00:03:19:06 and you can find more detail on applying the five lens approach 00:03:19:15 - 00:03:22:15 on security.gov.uk. 00:03:24:25 - 00:03:27:15 You might also want to look at existing documents, 00:03:27:15 - 00:03:30:15 for example, business impact assessment 00:03:31:15 - 00:03:34:07 or any asset inventory you might have. 00:03:35:19 - 00:03:38:14 So a business impact assessment, 00:03:38:14 - 00:03:42:03 if your council has completed one of these it's good practice to revisit it. 00:03:42:23 - 00:03:46:09 These can help you identify the impact of a failure of one 00:03:46:21 - 00:03:50:00 or more systems could have on your organisation, 00:03:50:25 - 00:03:54:27 and an asset inventory well, as well as seeing which systems 00:03:54:27 - 00:03:58:03 your council uses, it will also show who 00:03:58:03 - 00:04:01:03 you might need to collaborate with. 00:04:01:07 - 00:04:03:18 Once you have identified 00:04:03:18 - 00:04:06:18 your critical systems, 00:04:07:06 - 00:04:10:06 add them to the scoping workbook 00:04:10:24 - 00:04:13:28 and explain the methodology that you have used 00:04:14:00 - 00:04:17:00 to identify these critical systems. 00:04:18:00 - 00:04:21:00 While we've recommended the five lens approach, 00:04:21:26 - 00:04:24:25 you can of course use your own methodology. 00:04:24:25 - 00:04:28:28 But what is important is you are able to explain in the workbook 00:04:29:12 - 00:04:35:08 to the assurer why you have chosen the methodology that you have used. 00:04:38:28 - 00:04:41:22 After you've identified your critical systems, 00:04:41:22 - 00:04:45:21 the next step is to prioritise them for the CAF for local government 00:04:46:23 - 00:04:49:23 and to add them to the scoping workbook. 00:04:51:05 - 00:04:54:09 And you can find more guidance on how to prioritise 00:04:54:09 - 00:04:59:01 your critical systems on security.gov.uk.