00:00:05:39 - 00:00:06:29 

In this video, 

  

00:00:06:29 - 00:00:08:13 

we walk through a couple of ways 

  

00:00:08:13 - 00:00:11:06 

to prioritise your critical systems. 

  

00:00:11:06 - 00:00:11:58 

Before you do this, 

  

00:00:11:58 - 00:00:13:25 

you should have already identified 

  

00:00:13:25 - 00:00:15:33 

your essential services 

  

00:00:15:33 - 00:00:17:33 

and have a list of critical systems 

  

00:00:17:33 - 00:00:19:37 

that underpin them. 

  

00:00:19:37 - 00:00:21:11 

For the CAF for local government, 

  

00:00:21:11 - 00:00:22:14 

you need to prioritise 

  

00:00:22:14 - 00:00:25:16 

three of them to be in scope for the assessment. 

  

00:00:26:33 - 00:00:29:44 

As you decide what critical systems to prioritise, 

  

00:00:29:44 - 00:00:31:03 

it's worth remembering 

  

00:00:31:03 - 00:00:32:35 

that you can always re-assess 

  

00:00:32:35 - 00:00:35:13 

or choose different critical systems 

  

00:00:35:13 - 00:00:38:13 

in a future CAF assessment. 

  

00:00:38:39 - 00:00:39:40 

But how do you choose 

  

00:00:39:40 - 00:00:41:46 

which ones are in scope 

  

00:00:41:46 - 00:00:44:42 

for your first assessment? 

  

00:00:44:42 - 00:00:46:03 

Well, in this video 

  

00:00:46:03 - 00:00:49:03 

we're going to cover two methods. 

  

00:00:49:12 - 00:00:53:58 

The first is to rate the criticality of your critical systems. 

  

00:00:54:45 - 00:00:59:22 

The second is to complete or review an existing risk assessment. 

  

00:01:02:19 - 00:01:04:54 

So for the first method, 

  

00:01:04:54 - 00:01:07:54 

rating the criticality of your critical systems. 

  

00:01:09:22 - 00:01:12:02 

This will help you decide 

  

00:01:12:02 - 00:01:15:02 

if a critical system is mission critical, 

  

00:01:15:16 - 00:01:18:56 

that’s systems that support functions or handle data 

  

00:01:18:56 - 00:01:21:24 

that is determined to be vital to the operations 

  

00:01:21:24 - 00:01:24:00 

or mission of the organisation. 

  

00:01:24:00 - 00:01:26:12 

Business critical - systems 

  

00:01:26:12 - 00:01:29:03 

that support functions and handle information 

  

00:01:29:03 - 00:01:31:39 

that is important to support the organisation's 

  

00:01:31:39 - 00:01:34:39 

primary operations. 

  

00:01:35:22 - 00:01:36:27 

Non-critical - 

  

00:01:36:27 - 00:01:38:08 

systems that support functions 

  

00:01:38:08 - 00:01:39:15 

and handle information 

  

00:01:39:15 - 00:01:40:41 

that's necessary 

  

00:01:40:41 - 00:01:43:34 

for the conduct of day-to-day business, 

  

00:01:43:34 - 00:01:44:37 

but they are not mission 

  

00:01:44:37 - 00:01:46:57 

critical in the short-term, 

  

00:01:46:57 - 00:01:49:09 

and business supporting. 

  

00:01:49:09 - 00:01:52:43 

So the least important category of systems. 

  

00:01:53:04 - 00:01:55:14 

Systems that handle information 

  

00:01:55:14 - 00:01:58:14 

that is used in the conduct routine, 

  

00:01:58:18 - 00:02:01:05 

day-to-day business. 

  

00:02:01:05 - 00:02:04:48 

So on security.gov.uk 

  

00:02:05:31 - 00:02:08:31 

there's a template to help you do this. 

  

00:02:08:34 - 00:02:11:35 

So let's look at a completed 

  

00:02:13:16 - 00:02:15:50 

template. 

  

00:02:15:50 - 00:02:17:53 

So here we can see 

  

00:02:17:53 - 00:02:20:26 

our completed templates. 

  

00:02:20:26 - 00:02:21:51 

There is a column 

  

00:02:21:51 - 00:02:24:51 

with a list of the critical systems 

  

00:02:25:48 - 00:02:28:48 

that council is considering. 

  

00:02:29:04 - 00:02:31:55 

There is a column for the name of the system 

  

00:02:31:55 - 00:02:33:31 

owner internally, 

  

00:02:33:31 - 00:02:36:13 

and a summary of the service or business process 

  

00:02:36:13 - 00:02:40:32 

or function this system supports. 

  

00:02:42:40 - 00:02:45:40 

And each of these critical systems 

  

00:02:46:28 - 00:02:50:35 

has been given a criticality rating. 

  

00:02:50:35 - 00:02:53:35 

So here we can see the public system website, 

  

00:02:53:53 - 00:02:56:53 

a council has considered it business critical. 

  

00:02:58:37 - 00:03:01:37 

So to do this 

  

00:03:01:59 - 00:03:04:12 

the council has considered 

  

00:03:04:12 - 00:03:07:03 

the impact of a cyber attack 

  

00:03:07:03 - 00:03:09:15 

against three measures. 

  

00:03:09:15 - 00:03:12:09 

The first confidentiality. 

  

00:03:12:09 - 00:03:14:33 

So the impact of data loss or compromise 

  

00:03:14:33 - 00:03:16:09 

from a system. 

  

00:03:16:09 - 00:03:17:01 

For example, 

  

00:03:17:01 - 00:03:18:45 

does the system hold 

  

00:03:18:45 - 00:03:20:53 

commercially sensitive information? 

  

00:03:20:53 - 00:03:26:55 

Integrity - so the impact of inaccurate data and processing, 

  

00:03:27:24 - 00:03:30:07 

for example, processing wrong payments 

  

00:03:30:07 - 00:03:31:32 

and availability. 

  

00:03:32:31 - 00:03:33:31 

So the impact of the 

  

00:03:33:31 - 00:03:36:31 

system not being available for 12 hours. 

  

00:03:37:27 - 00:03:40:27 

So for each of these measures, 

  

00:03:40:41 - 00:03:44:15 

the council has rated them either high impact, 

  

00:03:44:44 - 00:03:47:53 

medium impact or low impact. 

  

00:03:48:56 - 00:03:51:54 

So we see that the public website 

  

00:03:51:54 - 00:03:53:57 

has a rating of medium impact 

  

00:03:53:57 - 00:03:56:31 

for confidentiality. 

  

00:03:56:31 - 00:03:59:31 

High impact for integrity impact, 

  

00:04:00:16 - 00:04:03:16 

and medium impact for availability. 

  

00:04:04:21 - 00:04:06:04 

So in the system 

  

00:04:06:04 - 00:04:09:04 

criticality column there is a key. 

  

00:04:09:43 - 00:04:13:36 

So for a system with one high rating, 

  

00:04:14:48 - 00:04:17:48 

it can be considered business critical. 

  

00:04:21:38 - 00:04:23:57 

So that's what the public website 

  

00:04:23:57 - 00:04:26:57 

has been considered by the council. 

  

00:04:28:10 - 00:04:30:43 

Let's look at the next system, 

  

00:04:30:43 - 00:04:33:43 

which is voice or VoIP system. 

  

00:04:34:19 - 00:04:37:05 

So across the three measures it has been considered 

  

00:04:37:05 - 00:04:39:40 

high impact on all three. 

  

00:04:39:40 - 00:04:42:40 

And if you look at the key, 

  

00:04:42:58 - 00:04:45:15 

two or more high impact measures, 

  

00:04:45:15 - 00:04:47:26 

well then the council could consider 

  

00:04:47:26 - 00:04:49:34 

that as a mission critical system. 

  

00:04:51:11 - 00:04:54:11 

The key can also help you determine 

  

00:04:54:24 - 00:04:59:06 

which systems are non-critical or business supporting. 

  

00:04:59:06 - 00:05:02:06 

So for example, the training platform 

  

00:05:03:11 - 00:05:10:01 

has three low impact ratings. 

  

00:05:10:01 - 00:05:13:01 

So could be considered as business supporting. 

  

00:05:13:06 - 00:05:16:01 

For the CAF you need to decide 

  

00:05:16:01 - 00:05:19:01 

on three mission critical systems. 

  

00:05:19:31 - 00:05:21:39 

So what if you have more than three? 

  

00:05:21:39 - 00:05:22:57 

Well in this example 

  

00:05:22:57 - 00:05:25:57 

we have the voice VoIP system, 

  

00:05:26:56 - 00:05:28:31 

the financial management system, 

  

00:05:28:31 - 00:05:31:31 

the revenue and benefits system, 

  

00:05:31:31 - 00:05:32:43 

and the election systems 

  

00:05:32:43 - 00:05:35:43 

all being considered mission critical. 

  

00:05:36:07 - 00:05:39:07 

So in this scenario, 

  

00:05:39:34 - 00:05:42:14 

for each system 

  

00:05:42:14 - 00:05:44:40 

you consider with your team 

  

00:05:44:40 - 00:05:47:43 

the maximum tolerable downtime, so the downtime 

  

00:05:47:43 - 00:05:48:43 

that could be tolerated 

  

00:05:48:43 - 00:05:50:06 

without causing significant 

  

00:05:50:06 - 00:05:52:53 

harm to your organisation's mission. 

  

00:05:52:53 - 00:05:54:45 

The recovery time objective. 

  

00:05:54:45 - 00:05:56:18 

So the expected recovery time 

  

00:05:56:18 - 00:05:59:24 

before reaching the business’ processes maximum 

  

00:05:59:24 - 00:06:00:54 

tolerable downtime 

  

00:06:00:54 - 00:06:02:54 

and a recovery point objective. 

  

00:06:02:54 - 00:06:04:06 

So the maximum target 

  

00:06:04:06 - 00:06:05:38 

period in which data can be lost 

  

00:06:05:38 - 00:06:07:13 

without severely impacting 

  

00:06:08:20 - 00:06:10:08 

recovery of operations. 

  

00:06:10:08 - 00:06:12:59 

So if you entered that information in the three 

  

00:06:12:59 - 00:06:15:59 

columns, that can help you decide 

  

00:06:16:08 - 00:06:19:08 

which mission critical systems 

  

00:06:19:10 - 00:06:22:01 

you want to prioritise for the  

  

00:06:22:01 - 00:06:25:01 

CAF for local government. 

  

00:06:25:26 - 00:06:28:28 

So let's look at the second method, 

  

00:06:28:58 - 00:06:31:44 

and we're going to briefly touch on this, 

  

00:06:31:44 - 00:06:34:19 

which is to complete or review an existing 

  

00:06:34:19 - 00:06:37:19 

risk assessment. 

  

00:06:41:29 - 00:06:44:24 

This should identify threats, 

  

00:06:44:24 - 00:06:46:44 

assess vulnerabilities within critical systems 

  

00:06:46:44 - 00:06:48:57 

that could be exploited 

  

00:06:48:57 - 00:06:51:07 

and consider the likelihood 

  

00:06:51:07 - 00:06:54:05 

and impact of identified threats. 

  

00:06:54:05 - 00:06:56:15 

So when you do this, 

  

00:06:56:15 - 00:06:59:16 

evaluate risk, and you might want to use 

  

00:06:59:16 - 00:07:02:45 

risk matrices, heatmaps or qualitative 

  

00:07:03:12 - 00:07:06:12 

or quantitative risk assessment software. 

  

00:07:11:31 - 00:07:14:31 

Remember to collaborate with your team 

  

00:07:14:45 - 00:07:16:49 

throughout the council 

  

00:07:16:49 - 00:07:19:17 

when prioritising your critical systems. 

  

00:07:19:17 - 00:07:21:41 

These could include service leads, 

  

00:07:21:41 - 00:07:24:41 

business system owners, IT 

  

00:07:25:42 - 00:07:27:07 

or cyber team members. 

  

00:07:29:31 - 00:07:31:19 

When prioritising your critical systems 

  

00:07:31:19 - 00:07:34:22 

as a team, focus on the highest priority systems 

  

00:07:34:22 - 00:07:37:22 

for your council as a whole. 

  

00:07:37:33 - 00:07:39:25 

Remember, 

  

00:07:39:25 - 00:07:41:15 

prioritising critical systems 

  

00:07:41:15 - 00:07:44:15 

is not solely the job of an IT department. 

  

00:07:44:20 - 00:07:47:20 

Involve people from throughout your organisation, 

  

00:07:47:27 - 00:07:48:54 

particularly senior leaders, 

  

00:07:48:54 - 00:07:51:09 

who might be better placed to decide 

  

00:07:51:09 - 00:07:52:24 

what systems are critical 

  

00:07:52:24 - 00:07:55:24 

from a strategic point of view. 

  

00:07:57:28 - 00:07:59:56 

Finally, we're going to look at some pointers 

  

00:07:59:56 - 00:08:02:56 

on what to consider with your team. 

  

00:08:03:00 - 00:08:04:49 

So remember to consider, 

  

00:08:04:49 - 00:08:05:43 

which systems 

  

00:08:05:43 - 00:08:06:46 

would be most important 

  

00:08:06:46 - 00:08:09:03 

to get back up and running? 

  

00:08:09:03 - 00:08:10:17 

Does a critical system 

  

00:08:10:17 - 00:08:13:17 

support your council's mission and objectives? 

  

00:08:13:46 - 00:08:16:46 

What else could you use to determine priority? 

  

00:08:17:36 - 00:08:19:53 

And will you be able to get the information 

  

00:08:19:53 - 00:08:22:53 

you need from a third party supplier? 

  

00:08:23:47 - 00:08:26:52 

Once you have prioritised your three critical systems, 

  

00:08:26:52 - 00:08:28:32 

add them to your scoping workbook.