Secure by Design Example Security Resources Plan

This plan is an example of an output of the Secure by Design activity Identifying security resources.

It is not an extensive list and is intended as a guide and a starting point. It names 11 possible security resources and, for each resource, identifies a:

• description
• category
• purpose
• project phase
• potential responsible department

Example security resources

Security personnel or expert

Security personnel are skilled individuals within the organisation who specialise in cyber security.

They include security analysts, security risk managers, security architects, consultants and incident responders who have expertise in areas such as security operations, threat modelling, incident response and vulnerability management.

They play a crucial role in implementing and maintaining effective security measures.

Category: People

Purpose: The purpose of security personnel is to use their knowledge and skills to handle security-related tasks within the organisation.

During the delivery life cycle, they can provide guidance and expertise in areas like security risk management, threat modelling, cyber security requirements and so on.

They are responsible for monitoring security systems, responding to security incidents, conducting vulnerability assessments and implementing security controls.

Their function is to safeguard the organisation’s assets, systems, and data from potential threats and attacks.

Project phase: Security personnel are involved in all phases of the project life cycle.

During the planning phase, they help define security requirements and contribute to risk assessments.

In the execution phase, they implement and monitor security controls.

In the maintenance phase, they continuously assess and respond to emerging security threats and incidents.

Information security technology resources

Security technology resources include a range of hardware and software solutions designed to safeguard systems and networks. This includes firewalls, intrusion detection or prevention systems (IDS or IPS), antivirus software and other security tools.

These technologies work together to protect against unauthorised access, detect security threats and mitigate potential risks.

You should identify the resources that are already available within the organisation to protect against unauthorised access, and detect and mitigate security threats.

Category: Tool or technology

Purpose: The purpose of information security technology resources is to establish and maintain a robust security posture within an organisation.

They provide protective and detective measures against various types of cyber threats, such as malware, unauthorised access attempts and network intrusions.

These technologies continuously monitor and analyse network traffic, identify suspicious activities, and enforce security policies to mitigate risks effectively.

Project phase: Security technologies are applicable in all phases of a project life cycle.

During the planning phase, they are considered when designing the security infrastructure.

In the execution phase, they are implemented to protect systems and networks.

In the maintenance phase, they are continuously updated and monitored to ensure ongoing protection against evolving threats.

Security policies and standards

Security policies and standards are a set of guidelines and directives that outline how an organisation should approach and manage security. They include policies such as an information security policy, access control policy, data classification policy and more.

These policies serve as a foundation for establishing secure operations, access controls and data handling practices within an organisation.

Policies are usually mandatory, so you should identify policies that are relevant to your project.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security policies and standards is to provide clear and comprehensive guidance on security-related practices and procedures.

They define the organisation’s expectations for security measures, establish controls and outline the responsibilities of employees, stakeholders and external third parties.

These policies enable consistent decision-making, enforce compliance with security standards and support a secure operating environment.

Project phase: Security policies are relevant to all phases of a project life cycle.

During the planning phase, they assist in defining security requirements, risk management approaches and compliance obligations.

In the execution phase, they guide the implementation of security controls and ensure adherence to established policies.

In the maintenance phase, they provide a framework for ongoing policy updates, security awareness and enforcement.

Security control frameworks

Security frameworks refer to established sets of guidelines, best practices and standards that organisations can adopt to establish and maintain effective security practices.

Frameworks provide comprehensive guidance and recommendations to address various aspects of security.

You should find out if your organisation has a security framework because it is likely to affect security decisions you make during delivery.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security frameworks is to help organisations implement a structured and systematic approach to security.

They offer a framework for risk management, security governance, control implementation and ongoing improvement.

Security frameworks help organisations align with recognised standards and industry best practices to enhance their security posture.

Project phase: Security frameworks apply across all phases of a project life cycle.

During the planning phase, they provide guidance for assessing risks, defining security requirements and establishing security objectives.

In the execution phase, they aid in the selection and implementation of appropriate security controls.

In the maintenance phase, they assist in the continuous monitoring, evaluation and improvement of security practices.

Security processes

Security processes refer to documented and well-defined procedures that guide the handling of security-related activities within an organisation.

These processes outline step-by-step instructions for effectively managing activities like security incidents, implementing change, addressing vulnerabilities and so on.

A few examples of the processes you need to identify are incident response processes, change management processes and vulnerability management processes.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security processes is to establish clear and consistent procedures for handling security-related events and activities.

Additionally, they facilitate controlled and secure changes to the organisation’s systems and applications while managing vulnerabilities to minimise risks.

Project phase: Security processes are mainly apply during the execution and maintenance phases of a project life cycle.

During the execution phase, incident response processes help manage and mitigate security incidents as they arise.

Change management processes are followed to ensure that security is maintained during system changes. Vulnerability management processes help identify, assess and remediate vulnerabilities.

These processes are continually refined and maintained during the maintenance phase.

Security education and training

Security education and training activities teach security best practices by improving the knowledge, skills and awareness of individuals in the organisation.

They include security awareness programs, cybersecurity training and other educational initiatives aimed at promoting a security-conscious culture.

They can also include technical security training such as secure coding, software development life cycle (SDLC) and so on.

Category: Awareness and training

Purpose: The purpose of security education and training is to educate members of the project team about security risks, best practices and their role in ensuring the delivery of a service that is Secure by Design.

It aims to raise awareness, develop security-related skills and foster a security-conscious culture throughout the delivery life cycle.

It helps reduce human error, improve incident response and enhance overall security posture.

Project phase: Security education and training is relevant in all phases of a project life cycle.

During the planning phase, it helps define security training requirements and establish the foundations of a security-conscious environment.

In the execution phase, it ensures that the team members and stakeholders receive necessary training to handle security responsibilities effectively.

In the maintenance phase, ongoing training and awareness activities help reinforce security practices and address emerging threats.

Third-party supplier management

Third-party supplier management involves assessing and managing the security risks associated with external third-party suppliers who provide goods or services to the organisation.

This resource is required for activities such as third-party risk assessment and supplier security evaluation.

The objective is to ensure that third party suppliers meet the organisation’s security requirements and adhere to industry-standard security practices.

You should identify the resources that will perform this function.

Category: People

Purpose: The purpose of third-party supplier management is to mitigate security risks that may arise from engaging third-party third party suppliers or suppliers.

The resource aims to establish processes and procedures to evaluate and monitor the security posture of third-party suppliers throughout the project life cycle.

By conducting security evaluations of third-party suppliers, organisations can make informed decisions about third-party supplier selection and manage the associated security risks effectively.

Project phase: Third-party supplier management is relevant during all phases of a project.

During the planning phase, you should establish security requirements and criteria for selecting third-party suppliers.

In the execution phase, you should conduct security assessments and evaluations on potential third-party suppliers.

In the maintenance phase, by continuing to monitor and evaluate third-party suppliers’ security practices, you can help ensure compliance continues and risks are mitigated.

Security monitoring

Security monitoring is the practice of continuously monitoring network and system logs for security events, anomalies and suspicious activities.

It involves using security information and event management (SIEM) systems, log monitoring tools and other technologies to collect, analyse and correlate security-related data.

Security monitoring is an important element of Secure by Design, so you should identify security monitoring resources that are available within your organisation.

Category: Tool or technology

Purpose: The purpose of security monitoring is to detect, investigate and respond to potential security incidents in a timely manner.

It enables organisations to identify security threats, unauthorised access attempts, data breaches and other abnormal activities.

By monitoring and analysing security logs, organisations can proactively address security risks and maintain the integrity and availability of their systems.

Project phase: Security monitoring mainly applies during the execution and maintenance phases of a project life cycle.

In the execution phase, monitoring activities helps to identify potential security incidents so that appropriate action can be taken to mitigate them.

In the maintenance phase, continuous monitoring ensures teams are up to date and aware of a system’s security posture. This helps teams respond to incidents quickly and apply the necessary updates.

Security health check and penetration testing

A security health check and penetration testing involve comprehensive assessments of the security posture of systems, networks, services and applications.

These activities aim to identify vulnerabilities and test the effectiveness of security defenses through controlled testing. They provide valuable insights into potential weaknesses and areas for improvement.

It’s likely that external facing services will be required to undergo a security health check before they can go live.

Security health checks are usually performed by managed service providers or external vendors, so it is important to identify this resource at the start of the project.

Category: Tool or technology

Purpose: The purpose of a security health check and penetration testing is to assess the security measures and controls that have been put in place to secure your service.

They validate the effectiveness of existing controls and identify vulnerabilities that could be exploited by potential attackers.

These assessments help identify weaknesses, assess the impact of potential attacks and provide recommendations to strengthen the security posture of the service.

Project phase: A security health check and penetration testing mainly apply during the execution and maintenance phases of a project life cycle.

In the execution phase, these activities help identify vulnerabilities and weaknesses in systems and applications before they go live.

In the maintenance phase, regular testing ensures that security controls remain effective and responsive to emerging threats.

Security assurance

Security assurance involves conducting assessments to evaluate compliance with security policies, regulations and industry standards.

It can include activities such as security audits, compliance assessments and control validations to ensure adherence to established security requirements.

Category: Policies, procedures and control frameworks

Purpose: The purpose of security assurance is to assess the effectiveness of security controls, identify gaps or non-compliance and check the organisation is adhering to security policies, regulations and industry standards.

These assessments help identify vulnerabilities, provide insights for improvement and demonstrate the organisation’s commitment to maintaining a robust security posture.

Project phase: Security auditing mainly applies during the execution and maintenance phases of a project life cycle.

In the execution phase, audits and assessments can provide baseline measurements and identify any initial non-compliance or weaknesses.

In the maintenance phase, regular audits ensure ongoing compliance, validate control effectiveness and address emerging security risks.

Security incident management

Security incident management involves establishing incident response plans and incident handling processes to effectively detect, respond to and recover from security incidents.

It includes developing incident response playbooks, co-ordinating incident response efforts and post-incident analysis to prevent future incidents.

Category: Tool or technology

Purpose: The purpose of security incident management is to minimise the impact of security incidents on the organisation’s systems, data and operations.

It aims to promptly identify security incidents, contain and mitigate their effects and restore normal operations as quickly as possible.

Incident management processes enable a structured and coordinated approach to incident response, ensuring a timely and effective response to security breaches.

Project phase: Security incident management applies mainly during the execution and maintenance phases of a project life cycle.

During the execution phase, incident response plans are implemented and incident handling processes are followed to address security incidents as they occur.

In the maintenance phase, incident management processes are continuously reviewed, updated and tested to improve response capabilities.