Keep systems and data safe with the appropriate level of security.
To meet point 6 of the Technology Code of Practice your plan or design must show how you are securing data and systems.
If you’re going through the spend control process you must explain how you’re meeting point 6 or any limitations you’ve encountered.
How meeting security requirements helps your programme
By securing your technology you will:
- reduce the risk and impact of security threats
- improve risk mitigation
- improve your network’s mean time to recovery
- align with the Security policy framework, Security Classification Policy, and Minimum Cyber Security Standard
Assess your security and resources
You must consider security from the start of your technology programme, and for your service as a whole. Before you start, consider the following questions:
- What security risks does your programme have?
- Will your programme use or collect sensitive data?
- How will your programme’s security interact with other systems?
- How will your programme’s security integrate with your organisation’s departmental security and processes?
- How will your programme’s security meet the Minimum Cyber Security standard and go beyond that standard where needed?
- Do you have access to the security expertise and skills you need?
- How will you source the security expertise and skills you need?
- What changes to your organisation’s security documentation and processes will your programme need?
- How will you provide appropriate security assurance, both throughout the duration of the programme and for its product or service?
Each organisation’s security resources will depend on their budget, risk appetite and what information and services they’re handling. Discuss your programme’s security requirements with the team or individual responsible for security in your organisation. As part of this you should:
- conduct a risk assessment for your programme
- identify and comply with any relevant security regulations and frameworks such as those in the technology security guidance list
- agree how your programme will work with the security and assurance policies used within your organisation
- assign roles and responsibilities for security within the programme
- consider if you have access to the relevant security expertise, or if you need to bring in additional skills
Once you have identified your programme security risks, you should integrate these into your programme plan, and include:
- how your programme will track, mitigate, or accept security risks
- expected timetables for mitigating each risk
- clear and well documented security processes
- plans for training and controlling the access of your users
Use proportionate security for your technology
Choose proportionate security to control and monitor your technology programme. Security should protect your information technology and digital services, and enable users to access the data they need for their work.
You should consider the security of any tools you might use to implement and maintain your technology programme.
As you implement your technology programme you should continually review your security, and make sure that you’re mitigating or accepting the security risks that you’ve identified.
Network and infrastructure security
Malicious access is always a risk. Plan how to:
- quickly recover
Make sure you have processes and controls in place to collect, record, protect, and analyse information about any attacks and use this data to improve defences. You should:
- design and implement the components of any system according to government best practice, including network principles and the security design principles for digital services
- increase email security by using the guidance on securing government email and how to set up government email services securely
When platforms have internet access and hold real data, threat actors or attackers may try to steal or alter the data. Also, there is a greater risk of an accidental real data leak. You should:
- follow the National Cyber Security Centre’s (NCSC) information risk management guidance
- read the Service Manual guidance on securing information for government services
You should integrate security controls and monitoring with the data and network flows using proportionate risk analysis.
You can find information on securing your services in:
- Point 9 of the Service Standard - Create a secure service which protects users’ privacy
- Digital Service Security from NCSC
Whether you’re procuring software as a service (SaaS) or developing your own solution for a platform of tools and services, you should put in place mitigations such as:
- data encryption
- single sign-on
- two-factor authentication (2FA)
- fine-grained access control
- usage monitoring and alerts
- timely patching
You will need to set up assurance mechanisms to monitor your programme security, identify potential risks, and provide confidence to senior leaders and stakeholders about the effectiveness of your security controls.
Continually evaluate your security controls to make sure they:
- provide users with appropriate levels of access
- effectively monitor for security risks
- provide sufficient data for risk analysis
- identify and record all activities and can find anomalies
- enable you to make informed decisions about actions to mitigate discovered risks
Use continuous improvement planning to manage and update security
You will need to provide ongoing assurance of your programme’s security and consider how it integrates with the rest of your organisation’s security. You should discuss this with the team or individual responsible for security in your organisation.
You should consider:
- who will be responsible for the overall security of the programme
- how will the programme’s security be continually assured, monitored, and assessed
- what types of security software testing would be appropriate for your programme
- who will assure, monitor, and assess the programme’s security
- who will implement security updates to ensure the ongoing security of the programme
- who will be responsible for responding to security incidents affecting the programme
Consider using continuous improvement planning in your business-as-usual processes. This will give you regular opportunities to review and improve your security as needed. The review process will also make sure that your security still meets user needs and evolving technology.