Information security is the technologies, policies and practices you choose to help you keep data secure.
It’s important because government has a duty to protect service users’ data. Without this protection, users could lose trust in public services.
Security for ‘secret’ or ‘top secret’ information
This guidance is for services holding information that’s classified by the government as ‘official’.
If your service handles information that’s classified as ‘secret’ or ‘top secret’, then you should ask for specialist advice from your department or agency security team.
Before you start assessing security
Accept your service will have information risk
It’s unrealistic to aim for a service with no information risk.
You should identify the risk to your service posed by your technology choices, processes, staffing and data aggregation.
When you understand this risk, you can then find ways to reduce it.
Talk to risk professionals
You need to discuss your security decisions with your organisation’s risk owner. Do this as early as possible when developing your service.
Your risk owner is responsible for dealing with risk in all your organisation’s services.
They can help you decide the risks you can accept and put a plan in place to mitigate against those you can’t.
When to start considering information security
You should start thinking about the security of your service in the alpha or discovery phases, depending on what you’re building .
Government security policy means your security measures must be proportionate to the risk and still allow the user needs to be met while maintaining the appropriate level of security.
How to assess information security
When you’re assessing the security of your service and the data you hold, you should consider it under the following general categories:
- confidentiality - information should only be seen by people who are authorised to access it
- integrity – information should only be modified by people who are authorised to do so
- availability - information should be available when needed (problems or attacks shouldn’t stop you getting information from the system)
- non-repudiation - nothing should happen in a system that can’t be traced back to a responsible person
Also consider any relevant privacy legislation - talk to your data protection officer about this.
Carrying out a risk assessment
There’s no government standard for risk assessments, but whatever way you assess risks you should:
- Consider threats to your system and the information and assets you store.
- Record any risks you believe are possible even if you don’t have a solution.
- Prioritise the risks you identify as most likely and the risks that would have the biggest effect on your service and your users.
Learn more about risk assessment
Read these articles to see how other digital organisations manage risk:
- Risk management introduction (The National Cyber Security Centre)
- Information security management (International Organisation of Standardisation)
- The Security Development Lifecycle (Microsoft)
Risk assessment techniques
Throughout your service’s development, you can assess how well you’re managing risks by using techniques like third-party code audits and penetration testing.
You should run red team exercises and game days to rehearse incident management practices.
If an actual incident occurs, you can use a blameless post mortem to identify whether there are actions that would improve the team’s ability to respond in future.
Once you’ve identified the risks to your information, you can consider how to reduce them, for example by using:
- physical controls like walls, locked doors or guards
- procedural controls like making a manager responsible for access, training staff or putting emergency response processes in place
- regulatory controls like legislation, policy or rules for staff
- technical controls like cryptographic software, authentication and authorisation systems or secure protocols
Choosing which controls to use
To choose controls, you need to assess the risk of information disclosure or modification then decide which risks you’re willing to take.
Many controls come with drawbacks and you may find some don’t suit your service.
On-demand or reactive protection
The controls explained in this guide help to prevent incidents occurring but it may be more efficient for your organisation to detect incidents and react to them.
For example, it might be cheaper to buy on-demand Distributed Denial of Service (DDOS) protection which only comes into effect when you ask for it, instead of buying protection which you have to run constantly to stop an attack taking place.
Getting an IT Health Check
An IT Health Check provides assurance that your organisation’s external systems are protected from unauthorised access or change.
The check will be a penetration test carried out by a National Cyber Security Centre (NCSC) supplier - read more about penetration tests.
You might find the NCSC guidance on building secure services useful.
Removed references to Data Protection Act 1998.
Guidance first published