Guidance

Make things secure

Keep systems and data safe with the appropriate level of security.

To meet point 6 of the Technology Code of Practice your plan or design must show how you are securing data and systems.

If you’re going through the spend control process you must explain how you’re meeting point 6 or any limitations you’ve encountered.

How meeting security requirements helps your programme

By securing your technology you will:

Assess your security and resources

You must consider security from the start of your technology programme, and for your service as a whole. Before you start, consider the following questions:

  1. What security risks does your programme have?
  2. Will your programme use or collect sensitive data?
  3. How will your programme’s security interact with other systems?
  4. How will your programme’s security integrate with your organisation’s departmental security and processes?
  5. How will your programme’s security meet the Minimum Cyber Security standard and go beyond that standard where needed?
  6. Do you have access to the security expertise and skills you need?
  7. How will you source the security expertise and skills you need?
  8. What changes to your organisation’s security documentation and processes will your programme need?
  9. How will you provide appropriate security assurance, both throughout the duration of the programme and for its product or service?

Each organisation’s security resources will depend on their budget, risk appetite and what information and services they’re handling. Discuss your programme’s security requirements with the team or individual responsible for security in your organisation. As part of this you should:

  • conduct a risk assessment for your programme
  • identify and comply with any relevant security regulations and frameworks such as those in the technology security guidance list
  • agree how your programme will work with the security and assurance policies used within your organisation
  • assign roles and responsibilities for security within the programme
  • consider if you have access to the relevant security expertise, or if you need to bring in additional skills

Once you have identified your programme security risks, you should integrate these into your programme plan, and include:

  • how your programme will track, mitigate, or accept security risks
  • expected timetables for mitigating each risk
  • clear and well documented security processes
  • plans for training and controlling the access of your users

Use proportionate security for your technology

Choose proportionate security to control and monitor your technology programme. Security should protect your information technology and digital services, and enable users to access the data they need for their work.

You should consider the security of any tools you might use to implement and maintain your technology programme.

As you implement your technology programme you should continually review your security, and make sure that you’re mitigating or accepting the security risks that you’ve identified.

Network and infrastructure security

Malicious access is always a risk. Plan how to:

  • identify
  • protect
  • detect
  • respond
  • quickly recover

Make sure you have processes and controls in place to collect, record, protect, and analyse information about any attacks and use this data to improve defences. You should:

Data security

When platforms have internet access and hold real data, threat actors or attackers may try to steal or alter the data. Also, there is a greater risk of an accidental real data leak. You should:

You should integrate security controls and monitoring with the data and network flows using proportionate risk analysis.

Service security

You can find information on securing your services in:

Cloud security

The government’s approach to security in the cloud is set out in the Cloud Security Principles, the Cloud security guidance and the Risk management guidance NCSC.

Whether you’re procuring software as a service (SaaS) or developing your own solution for a platform of tools and services, you should put in place mitigations such as:

  • data encryption
  • single sign-on
  • two-factor authentication (2FA)
  • fine-grained access control
  • usage monitoring and alerts
  • timely patching

Providing assurance

You will need to set up assurance mechanisms to monitor your programme security, identify potential risks, and provide confidence to senior leaders and stakeholders about the effectiveness of your security controls.

Continually evaluate your security controls to make sure they:

  • provide users with appropriate levels of access
  • effectively monitor for security risks
  • provide sufficient data for risk analysis
  • identify and record all activities and can find anomalies
  • enable you to make informed decisions about actions to mitigate discovered risks

Use continuous improvement planning to manage and update security

You will need to provide ongoing assurance of your programme’s security and consider how it integrates with the rest of your organisation’s security. You should discuss this with the team or individual responsible for security in your organisation.

You should consider:

  • who will be responsible for the overall security of the programme
  • how will the programme’s security be continually assured, monitored, and assessed
  • what types of security software testing would be appropriate for your programme
  • who will assure, monitor, and assess the programme’s security
  • who will implement security updates to ensure the ongoing security of the programme
  • who will be responsible for responding to security incidents affecting the programme

Consider using continuous improvement planning in your business-as-usual processes. This will give you regular opportunities to review and improve your security as needed. The review process will also make sure that your security still meets user needs and evolving technology.

Published 6 November 2017
Last updated 27 January 2020 + show all updates
  1. Additional content included and restructure of page.

  2. First published.