Define your context
Your approach to cyber security depends on what your capability or service does.
What you do and why
You should be able to define the context of the service you provide and how it meets requirements for defence.
You also need to identify your users and their requirements of the system.
Check your business case, concept of operation and user requirement documents. They should include considerations for security. If you do not have these documents, you need to create them.
You can check:
- GOV.UK advice on adding security to your business case (opens in a new tab)
- GOV.UK guidance on business objectives and user needs (opens in a new tab)
What you need to protect
Create a detailed list of things you need to protect, such as:
- networks
- information and data
- documentation
- intellectual property
- reputation
Your capability or service might need to protect assets that are not listed here. Consider how your capability or service is designed and your ways of working.
Not all assets need the same level of protection. Identify your critical assets, they might need more protection. Work with stakeholders and your security community to agree the importance of each asset.
You can check GOV.UK guidance on documenting assets (opens in a new tab).
Consider all types of information
Your information is probably held in digital form. It might also be produced on paper or end up in a physical system, such as in a weapon or a radio transmitter.
Information in Defence is classified OFFICIAL, SECRET or TOP-SECRET. When you map your information, you also need to consider:
- confidentiality - who can access what
- integrity - keeping information correct
- availability - getting information at the right time
Find out how to classify information.
Map how information is used
Create a map of how information is used across the life of your capability or service. This helps you:
- understand what happens to information at different stages
- focus on information that needs protecting the most
- choose appropriate security controls
Make it visual
Do not create a spreadsheet. You need to show how information flows through your capability or service.
Choose a tool to help you create a flow diagram, model or schema. For example, Microsoft Visio is available on MODNET.
You need to show which state information is in. Information can be:
- at rest, for example in storage
- in transit, for example in a communications network
- being processed by a computer or a human
Remember to map all of your information from concept and design to retirement. Start with what you know and add details as you go.
Look at the wider picture
Your capability or service does not work in isolation. You need to know how it fits in the Ministry of Defence's existing technical architecture.
On your map, show all connecting systems and organisations. This helps you:
- identify teams and systems you rely on
- recover faster from security incidents
- contribute to keeping Defence secure
Agree your boundary
Your capability or service has a defined scope, this includes the things you are responsible for.
Often, technologies and services need to connect to other systems. Putting an agreed boundary on your map helps you:
- define what is in your control
- identify areas of risk
- check if you need authorisation to do something
- share information and updates
Work with system stakeholders
You cannot set your authorisation boundary on your own. Work with system stakeholders and enterprise architects to agree who owns risk on either side of the boundary.
Get agreement from everyone involved
Include the names of people who formally accept each risk. Regularly check that names are still correct.
If you cannot get agreement on your boundary, you need to check your organisation's risk management process.
Published August 2024