Guide to adopting Secure by Design – Transition
Once you have put the fundamental processes in place, you can begin applying the Secure by Design approach to active projects.
Capture feedback from pilot project(s)
The most important element of the test process is to gather information. This should cover what has worked as well as what hasn’t so improvements and solutions can be devised.
An evaluation can be shared with delivery teams in a staggered way by delivery phase, so those wanting to begin a discovery project don’t need to await the findings of an alpha stage pilot.
This tool calculates a security confidence profile at different stages within the service lifecycle, with questions mapped with Secure by Design principles.
This should be used by teams taking part in your trial so they can understand which security activities require action or attention.
Your Secure by Design champion should devise the appropriate method and schedule for collecting feedback, covering both analytical and anecdotal information that can be used to improve full implementation.
- Support is available from CDDO via your Secure by Design champion if you encounter any obstacles or blockages that prevent progress which can’t be resolved internally
Inform in-scope projects about their Secure by Design obligations
When considering options for your pilot scheme, you will have gathered information on the services and projects where Secure by Design needs to be applied. Your champion should work with leaders including the CDIO, CISO, CTO and Senior Responsible Owners (SROs) to define a comprehensive list of all planned and existing projects that fall within scope.
This could also include arm’s-length bodies (ALBs) that your organisation has responsibility over.
Your Secure by Design working group should contain individuals that are able to access and influence delivery and support teams that need to be aware of Secure by Design.
- Update your communication plan to include details of the necessary information to share across teams through appropriate channels. This will enable communication to be tailored for each team, while remaining overall message consistency.
Regular online sessions led by cyber security experts from Cabinet Office CDDO will provide an opportunity for teams to ask questions and share issues related to implementing Secure by Design.
- Details of surgery schedules and how to attend will be shared with the champions from each organisation and posted on the xgov-secure-by-design-implementation Slack channel.
Embed Secure by Design embedded within commercial and procurement processes
CDDO is working with the Government Commercial Function to incorporate Secure by Design into future procurements and contracts that can be applied to projects.
Organisations should make updates to updates to procurement documents and commercial contracts and work with their suppliers to encourage them to adopt the Secure by Design principles.
This should cover contracts related to both infrastructure and personnel. For active contracts, establish when they are due for renewal and the implications of making mid-term amendments so the resources required to agree changes can be prioritised.
- Read information on Managing third-party product security risks
Turn the transition plan into an operational plan
Update the outline transition plan produced during the preparation phase to take into account the lessons learned during the pilot scheme.
This should include specific plans for addressing any gaps that were identified in the preparation checklist and accurate resource estimates for updating internal policies and processes.
Produced and managed collaboratively by the working group, this should cover a list of required actions that delivery teams working on services within your organisation can work through systematically to achieve the required outcomes.
- The Secure by Design activities provide good practice guidance and step-by-step walkthroughs that can be tailored to reflect your organisation’s specific structure, processes and resources
Share Secure by Design progress with internal teams and senior leaders
To ensure there’s sufficient momentum to achieve full adoption of Secure by Design within the required timescales, regular engagement should take place with affected teams and those ultimately responsible for the successful implementation.
You may also choose to share relevant information with selected suppliers so they’re aware of their responsibilities in relation to Secure by Design and are able to change their ways of working to meet requirements.
This opportunity for a regular check-in allows details of progress to be shared with those accountable. It also creates a platform for issues to be identified, additional resources to be requested, and decisions to be made.
Collating the highlights of these meetings (such as agreed actions or achieved milestones) will help both visibility and accountability. These should be shared through existing comms channels, or through a dedicated Secure by Design newsletter update curated by your champion.