It’s essential to establish the people, processes, tools and suppliers required to build a secure service so you can ensure security is embedded throughout digital delivery.
By completing a comprehensive assessment of your project’s security needs you will be able to:
You should identify the needs for security resources as part of the discovery or commission phases and revisit these at the start of a new phase in the project lifecycle to ensure potential changes to the needs can be accommodated.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to create responsibility for cyber security risk.
The people with the best knowledge of which resources will be required across the project lifecycle should be your:
For technical information or specific details of how resources will be deployed within a project, you may also need to consult your Chief Technology Officer (CTO), Chief Information Security Officer (CISO), technical architect, security architect, business analyst and development team.
Using your business case and research undertaken as part of the discovery process, outline the tasks that will be required to build and maintain a secure service. You should:
For each task that has been identified, consider the skills required to deliver and oversee the security elements. Include people required as part of build processes and resources required for ongoing operational security.
State whether they should be:
The Secure by Design activity Agreeing roles and responsibilities will help you understand the tasks you should consider as part of digital cyber security.
It includes an example RACI (Responsible, Accountable, Consulted, Informed) matrix that shows how to assign duties to activities such as threat modelling, security risk management, security architecture and penetration testing.
If the skills needed to deliver the project need to be acquired or updated (for example, learning how to perform threat modelling), include details of how this training will be conducted, and who will be required to do it.
Consider that training (for example, education on protecting sensitive data or recognising phishing attempts) may be required for non-technical team members. This may already be available from within your organisation or the National Cyber Security Centre (NCSC).
Consult with the wider organisation to assess the available security capabilities, software development environments and tools that will be required for the project.
Examples of common technology include:
If your project requires security technology that is not currently in use, discuss whether other teams or projects would benefit from it so resources can be shared.
Review the existing security policies used within your organisation covering secure software development procedures, secure coding standards and acceptable use of technology.
If additional controls are required, include details of how these will be created, implemented and maintained throughout the project lifecycle.
The output of this review should be a comprehensive list of the tasks required to deliver and maintain a secure service, the people involved during each project stage, and the associated technology.
Include as much detail as possible, for example how long each resource will be available for, whether it is available in-house, and the anticipated cost.
A clearly defined security resource plan should be made available to:
An edited version of this information may also need to be shared with suppliers who will be providing the people or technology required. This should explain how the security resources being procured are intended to fit into the wider context of the project, without providing the full details of the project’s security plan.
This activity is part of the ‘Prepare a secure service’ stage of Secure by Design, which also includes:
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024