When delivering a service, your approach to responding to security risks is based on your risk appetite. You need to decide whether to accept them or propose appropriate mitigations.
The risk register produced when performing a security risk assessment outlines the risks and their rating prior to implementing any controls. You could reduce the likelihood or the impact of the risks by selecting appropriate controls from your security controls set.
Deciding how to implement these measures is a fundamental part of end-to-end risk management which will allow you to:
You should start responding to security risks as soon as they appear within the risk register, and whenever service requirements change that may have an impact on risk management. This is an iterative activity that aims to continually reduce security risks to an acceptable level and allow you to prioritise ongoing investment into security capabilities and controls.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach, design usable security controls, build in detect and respond security, design flexible architectures, minimise the attack surface and defend in depth.
This activity should be carried out by your delivery team with direction from security professionals with experience in risk management and the technical architects designing the service. They should use their experience of cyber security and understanding of the service to determine the appropriate mitigations.
Risk response recommendations should be considered by your Senior Responsible Owner (SRO) and service owner who can provide input and approval for the mitigation plan based on broader project context.
Responding to risks involves identifying, evaluating and deciding on appropriate courses of action.
It’s important to understand the influencing factors that will impact the risk management decisions you make. These are likely to include the outputs of Secure by Design activities you should have already completed, including:
Your organisation may have provided you with guidance on risk management when putting together your risk register. This will have given you the necessary foundations for how to assess, respond and monitor risks including details on impact categories, scoring scales, and governance processes.
Aligning your approach with the one recommended by your organisation will ensure that cyber risks are managed consistently. If your organisation does not have risk management guidance available, this should be raised with your Chief Digital Information Officer (CDIO) and Chief Information Security Officer (CISO) as a fundamental organisational risk.
Those responsible for managing risk within your project should collaborate to add a response to each risk identified within your risk register. Document both the intended response, as well as the rationale that led to that decision so those reviewing it can understand the thought process that led to each action.
Decide on a suitable framework for categorising your responses, for example; treat, tolerate, terminate or transfer.
Put in place security measures that reduce the likelihood of the threat and/or severity of the impact, mitigating the risk to an acceptable level. This is suitable where risks are higher than the agreed project risk appetite.
Risks will always exist, and sometimes they need to be accepted as part of running a digital service. If the likelihood and impact are low, then this may be the most sensible option available, especially if the mitigation costs are disproportionately high. This decision should be continually reviewed as the threat landscape or level of service vulnerability changes.
In instances where there is a high risk and the mitigation options are unsuitable, the only way to proceed may be to adapt the service (either permanently or temporarily) so the threat is no longer relevant. This may result in specific features not being available or a fundamental change in the way the service works, so this decision should be taken in close collaboration with delivery teams.
It is also possible to avoid risk by limiting the exposure of your service. For example, if you’re using data that has originated in a separate system, you may choose to hold and process data there rather than transferring sensitive data into your service.
Liability indemnity from suppliers or other contractual mechanisms can remove your responsibility for risk, however this does not reduce the risk and is therefore often an unsuitable solution.
It is extremely uncommon within government services for risk to be covered with insurance. Discuss this option with your organisation’s risk management team and HM Treasury to see if an exemption is suitable before considering it as an appropriate response.
Using the security controls set for your service, map the appropriate security controls to the risks in your risk register that you have decided to treat or reduce.
These security control solutions could be technical (such as multi-factor-authentication) or non-technical (such as cyber security training) and should be proportionate to the risk that is being mitigated.
When deciding on the most appropriate measure to apply to each risk, consider factors including:
Where there are multiple response options, create a comparison table that assesses the identified risk against the available treatments to allow risk owners and budget holders to make informed decisions based on pros and cons.
Once the appropriate security controls for each risk have been identified and shortlisted, work with decision makers within your project and organisation to determine the preferred set of actions.
This information should be collated into a risk treatment plan that is shared with your delivery team who are responsible for the design and build of security within the service. It should also be made available to those responsible for managing delivery risks such as your SRO, service owner and risk management team.
Deciding to implement these controls will not automatically mean you have a secure service. Regardless of the mitigations in your plan, there will always be a degree of residual risk, and a reliance on controls being correctly implemented and maintained.
Your risk treatment plan will be effective if:
You should assess the effectiveness of security controls to ensure that the decisions you have made are suitable and applied as intended.
This activity is part of the ‘Manage cyber security risks’ stage of Secure by Design, which also includes:
Read the Secure by Design activities
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024
OFFICIAL