When delivering a service you should establish a Secure by Design confidence profile at the beginning of the project and maintain it as the service evolves.
A self assessment tracker has been developed which aligns with the Secure by Design principles you need to meet throughout the service lifecycle. Delivery managers should integrate completion of the self assessment into regular delivery activities involving the relevant team members. This will allow you to:
The Secure by Design self assessment is designed to facilitate lightweight and continuous assurance discussions within project delivery. It should not replace existing security assurance practices within your organisation.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to embed continuous assurance.
Delivery managers within your project should have responsibility for completing and maintaining the Secure by Design self assessment tracker and ensuring this happens as part of regular delivery processes. They will need to collaborate with technical and security teams, including their organisation’s Chief Information Security Officer (CISO), to ensure the criteria has been met correctly and the appropriate evidence is available.
The project’s Senior Responsible Owner (SRO) and service owner should be consulted at key points in the development of the tracker, providing sign-off when it is being submitted for approval.
This tracker allows delivery teams within government departments and arm's-length bodies (ALBs) to demonstrate how they are meeting the Secure by Design principles. It will provide you with a confidence profile (low, medium or high) applicable to the phase you are at within the service lifecycle. If your project is in scope for the digital and technology spend controls approval process, this tracker must be submitted to the Cabinet Office with support from your internal assurance teams.
You should use this tracker from the start of your project and continue updating it throughout the delivery of the digital service. Each service should have a single self assessment that can be updated throughout its lifecycle.
The Secure by Design self assessment tracker is currently in the final stages of development.
Email secure-by-design@digital.cabinet-office.gov.uk to request the latest version in either a Google Sheets or Microsoft Excel format. Please include your name, department and role in your request.
Populate the ‘Project Profile’ tab with the necessary information. Save it to an appropriate folder within your file management system. It should be treated as an asset and therefore only be accessible to those who need to view or contribute to it.
The tracker contains tabs that relate to project phases:
Within each of these is a series of questions that map to Secure by Design principles.
Your response to each question will affect your overall security confidence profile. This will be shown as low, medium or high on each tab. By responding positively to each question, you will be able to achieve the required High confidence profile to use in the Cabinet Office digital and technology spend controls assurance process.
At the appropriate points within your project delivery, work through the questions in the tab that’s relevant to your current project stage and provide:
Your supporting evidence should be a clear and concise explanation of how the security requirement has been met, or a link to an output such as a risk assessment report or risk treatment plan.
When providing links to documents, ensure that access has been set appropriately to maintain the security of the information you are referencing.
Include the maintenance of the self assessment within your project delivery processes, updating the information to reflect new evidence or when there are significant changes in outputs already submitted.
You may be required to change a response from a ‘Yes’ to a ‘No’ if the evidence supplied no longer meets the criteria of the self assessment. If this affects the status of your confidence profile, ensure the relevant people within your project and organisation are made aware, then take the necessary steps to manage or mitigate the issue.
When moving between service delivery phases, you will see some questions appearing on more than one tab. This is to ensure that the outputs are refreshed and reconsidered by delivery teams, risk owners and assurance teams for their suitability as the service evolves through its lifecycle. It is possible to repeat the response from an earlier phase if the security requirement or implications remain unchanged.
Share the information with your delivery team, business risk owners and your organisation’s security function so it can be factored into project planning and decision making.
This activity is part of the ‘Prepare a secure service’ stage of Secure by Design, which also includes:
Read the Secure by Design activities
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024
OFFICIAL