Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. Secure by Design
  3. Activities
  4. Agreeing roles and responsibilities

Agreeing roles and responsibilities

To effectively embed cyber security within the delivery of government services, project teams need to make security everyone’s responsibility.

While some roles will have more duties than others, improving the overall security culture is the most effective way to ensure risks are understood and managed throughout the digital delivery lifecycle.

Agreeing team and stakeholder responsibilities will allow you to:

This should be conducted at the start of the project, with changes in requirements continually assessed as delivery progresses through various phases.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to create responsibility for cyber security risk.

Who is involved

Working together to determine the roles and responsibilities across your project should be your:

Discussions should also take place with security professionals across delivery teams to agree where responsibilities best sit.

It’s important that those being given responsibility for security are consulted as part of the process, rather than having tasks assigned to them. This will allow security to be considered during digital delivery and reduce the risk of security activities being overlooked due to ambiguity around who should perform them.

How to agree security roles and responsibilities

Step 1: Review the existing organisation resource plan

Your organisation’s programme and project management offices will be able to share details of any models already in use that align tasks and deliverables with team roles. If a suitable model exists, discuss with them how cyber security responsibilities can be integrated.

If there is nothing suitable available, you will need to produce and maintain this information separately.

Every organisation has certain obligations related to cyber security. These could be related to policies, regulations, laws, or contracts, and may be different for each digital service depending on the type of data handled and the industry in which it operates.

Consult with the security professionals within your organisation to establish the tasks that should be assigned to roles within your project to meet these obligations.

Step 3: Understand responsibilities for delivering secure digital services

To deliver a secure digital service, various activities need to be completed during each stage of the delivery lifecycle. These cover both operational and technical security tasks.

Consult with the security professionals within your organisation to establish the tasks that should be assigned to roles within your project to meet these secure by design activities.

The Secure by Design activities guidance provides a recommended approach to follow when building and maintaining a secure digital service. This can be tailored to reflect your service when collating a list of the cyber security responsibilities that will need to be allocated across your delivery team.

Step 4: Assign tasks to roles

Associate the roles within your project to each responsibility identified in the previous steps. This should cover who is involved but does not need to include details of what each task consists of, or how it will be carried out.

The Secure by Design activity Identifying security resources will help you understand the people and skills required within your project.

The suggested approach is to create a RACI matrix to clarify inputs and expectations:

Example cyber security roles and responsibilities RACI matrix

Delivery teams can use this template as a starting point for assigning roles and responsibilities to Secure by Design activities. It is available in the following formats:

The roles included within this example reflect recommended service team roles, the security profession career framework and digital and data profession capabilities. You will need to adapt this to reflect the structure of your organisation and delivery teams.

Step 5: Share and monitor roles and responsibilities

The output of this activity should be shared with everyone that has been assigned a responsibility. Delivery team managers should ensure that everyone understands what is expected of them and that they agree to take on the relevant security responsibilities.

Where suitable, specific tasks should be included within job descriptions and monitored through regular performance reviews.

Roles and responsibilities should be regularly assessed during the lifecycle of a project to confirm:

In instances where security issues have been identified, this process should be revisited to ensure that roles are appropriately assigned with improvements made to reduce the risk of repeat incidents.

Further reading

This activity is part of the ‘Prepare a secure service’ stage of Secure by Design, which also includes:

Read the Secure by Design activities

The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.

Last update: 31 January 2024