Transcript: How to create an architecture map

This video will take you through how to create an architecture map of a critical system.
 Creating this diagram will help you understand what is in scope for your critical system self-assessment, and what isn't.
To do this, you should get support from system mappers, technical specialists and subject matter experts. 
If you do not have this expertise within your council, you may need to seek external support. 
Before you start, you should have completed the architecture mapping workbook up to and including the system boundaries tab.
You will add your diagrams to your architecture mapping workbook and then share that workbook with your independent assurer for feedback before starting the self-assessment.
 Alternatively, you can share your diagrams separately via the shared method agreed with your assurer.
So, your map or diagram will need to show any sites your council has, including physical and cloud, site connections, including firewalls, zones, networks or network segmentations, systems that support your critical system, and any breakdown of dependencies and boundaries.
To draw your map, use a tool like Microsoft Visio, draw.IO or Lucidchart. 
So the first step is to add your sites. So for the architecture map of your critical system, think about the high-level infrastructure areas. Include all physical and cloud sites that host the infrastructure and systems needed for your critical system. 
So here, our fictional council, NE Council, has two physical sites and connectivity to Azure via the internet.
Next, add your site connections. Think about how your sites are connected, and consider any firewalls.
Here, the council has added an MPLS connection between the two sites.
All access from any organisation passes through a firewall by default, so these have been added.
The firewalls may be the same physically, but shown in a logical order to demonstrate the connectivity.
Next, add zones, networks or network segmentations and virtual networks that you have in place.
So for site one, NE Council has a DMZ and corporate LAN for external access, which is supported by the corporate firewall. And for site two, a walled garden and corporate LAN, and access is controlled by a separate, dedicated firewall. Azure has a single network. 
Now, add any systems you have in place in each zone or network that support your critical system.
So here, NE Council's critical application servers are located in the corporate LAN at both sites.
Site one has a net scaler in the DMZ.
Site two has database servers in the walled garden. Internal users access the critical systems directly. External users access the systems via NetScaler.
You next need to review where dependencies and infrastructure are located and add them to your diagram.
So NE Council has an on-premises Active Directory servers with Azure AD in the cloud, SFTP servers in the walled garden, transfer files for backup to Azure, all servers are virtualised on VMware ESX at both sites, and external users connect via VPN using the IPSEC protocol.
So next, indicate what has been excluded.
So annotate your map with any security implications of the cloud or commercial third-party systems you plan to exclude.
In your workbook, explain why you have excluded a system, and anything not marked as excluded will be considered as part of your CAF assessment.
So in this diagram, first our party support has been added.
A different colour has been used to indicate what is to be excluded, along with a clear label.
You should then annotate your diagram or map to help your independent assurer understand your architecture.
If you have used symbols or colour coding, remember to add a key.
So in this diagram we can see that annotation has been added along with a key.
Once complete, anonymise any sensitive information. 
Save your diagram as a PDF, PNG or other format that will be accessible to your assurer.
Add the diagram to your architectural mapping workbook or share it securely via your agreed method with your independent assurer and share your architecture mapping workbook with your assurer once complete.