4. Document the system
Introduction
To comprehensively document your systems, several sections are available within the interface. Each section focuses on a specific aspect of the system, ensuring thorough documentation.
These sections include:
- Contact: Key contacts responsible for the system.
- System Overview: A general description and purpose of the system.
- System Details: Specific attributes and technical details about the system.
- Data Information: Information about data classification, storage, and handling.
- Recovery: Details about recovery objectives (RTO, RPO) and disaster recovery plans.
- Related Systems: Dependencies or relationships with other systems.
- Risk Assessment: Evaluation of potential risks associated with the system.
- Complementary Information: Additional details or notes relevant to the system.
Explore each section in detail below to ensure your system documentation is complete and up to date.
Contacts
Identifying stakeholders involved in the design, development, implementation, assessment, operation, maintenance, or disposal of systems is essential for effective risk management. Clear identification ensures accountability and effective collaboration, particularly for shared systems or those involving cloud services.
To document Stakeholders,
- Open the new system card you created.
- Navigate to the “Contact” section and complete the following fields:
- Business Owner: Responsible for the overall business performance of the system.
- System Owner: Accountable for the system's operation and maintenance.
- System Administrator: Manages the day-to-day technical operations.
- Information Owner: Oversees the data within the system.
- Other Contacts: Include any additional stakeholders relevant to the system.
System Overview
Below are the key attributes to document for each system.
Navigate to the “System Overview” section and complete the following fields:
Description
Provide a brief overview of the system's purpose and functionality.
Country/Region
Specify the geographic location of the system.
Functional Domain
Define the business function the system supports (e.g., HR, IT, Finance).
Business Unit
Link the system to the appropriate business unit.
Environment Stage
Identify the system's stage. By default:
- Production
- Non-Production
Operational Status
Define the system's operational status. By default, based on NIST standards:
- Operational
- Under Development
- Major Modification
- Decommissioned
Criticality
Define the system's operational criticality. By default:
- N/A
- Critical
- Non-Critical
Internet Facing Status
Specify whether the system is accessible via the internet (Yes or No).
System Details
In this section, define the detailed attributes of each system to provide a comprehensive view of its architecture and operational context.
Complete the following fields:
Architectural Domain
Specify the architecture type. For example: Organisation, Services & Products, Information, People, Processes, Facilities, Data, Applications, Platforms, Infrastructures, External - Partners, External - Untrusted.
System Type
Classify the system using the options provided. For example: Server, Network, User Device, Public Terminal, Media, PeoplePhysical, Compute, Storage, Application, Data, Unknown.
System Accessibility
Indicate whether the system is External, Internal, Isolated, Unknown, or N/A.
Hosting Type
Describe hosting (e.g., Internal, External Shared, External Dedicated).
Cloud Type
Specify if applicable (e.g., IaaS, PaaS, SaaS).
Cloud Stack Components
Define the cloud infrastructure components involved (e.g., Physical, Network, Compute, Storage, Application, Data).
Data information
Classify and document key data attributes for each system to ensure proper handling and compliance.
Complete the following fields:
Data Classification Levels
Indicate the sensitivity of data the system processes (e.g., Public, Internal, Confidential).
PII Involvement
Specify whether the system processes Personally Identifiable Information (PII).
PHI Involvement
Specify whether the system processes Protected Health Information (PHI).
Recovery
Define recovery objectives to ensure business continuity and minimise disruptions. Complete the following fields:
Recovery Time Objective (RTO)
Specify the acceptable maximum downtime.
Recovery Point Objective (RPO)
Specify the acceptable data loss period.
Related Systems
Map and manage system relationships by grouping systems with shared dependencies to enhance oversight and enable effective risk analysis. To map related systems:
- Click on “+”.
- Search for a system using its System ID (SYS-ID).
Risks assessments
Link and manage system risks by associating systems with relevant risk assessments to ensure risks are properly documented and monitored over time. To link systems to risk assessments:
- Click on “+”.
- Search for a risk assessment using its Risk Assessment ID (RAD-ID).
Complementary information
The "Complementary Information" section in CSFaaS allows you to document additional details that enhance the understanding of your system's context and environment. Use this section to:
- Provide Supporting Text: Include detailed descriptions of your system’s boundaries, such as what is in scope and out of scope, interfaces with external systems, and responsibilities for each area. This ensures stakeholders have a clear and comprehensive understanding of the system.
- Add Relevant Details: Document any additional information, such as operational considerations, dependencies, or specific configurations, to further support your system’s context.
Tip for Defining System Boundaries
When defining your system's authorization boundaries in CSFaaS under "Complementary Information":
- Specify In-Scope and Out-of-Scope Elements: Clearly identify the components, data flows, and functionalities included in your system and those excluded.
- Highlight Interfaces with External Systems: Detail connections or interactions with external systems or services, including their operation and any associated security considerations.
- Clarify Responsibilities: Define who is responsible for each area within the system boundaries, including shared responsibilities with external parties.
Providing thorough textual descriptions will enhance the clarity of your documentation and improve understanding among all stakeholders.