Identifying security resources
It’s essential to establish the people, processes, tools and suppliers required to build a secure service so you can ensure security is embedded throughout digital delivery.
By completing a comprehensive assessment of your project’s security needs you will be able to:
- plan when the necessary resources will be required during each phase of the project
- provide an accurate view of the likely cost of the project to reduce delivery risk and submit as part of the digital and technology spend controls approval process
- achieve cost savings by identifying what resources may already be available within your organisation
You should identify the needs for security resources as part of the discovery or commission phases and revisit these at the start of a new phase in the project lifecycle to ensure potential changes to the needs can be accommodated.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to create responsibility for cyber security risk.
Who is involved
The people with the best knowledge of which resources will be required across the project lifecycle should be your Senior Responsible Owner (SRO), service owner and delivery, product, programme and project managers.
For technical information or specific details of how resources will be deployed within a project, you may also need to consult your Chief Technology Officer (CTO), Chief Information Security Officer (CISO), technical architect, security architect, business analyst and development team.
How to identify security resources
Step 1: Confirm your project’s security tasks
Using your business case and research undertaken as part of the discovery process, outline the tasks that will be required to build and maintain a secure service. You should:
- review the Secure by Design activities recommended throughout the delivery lifecycle
- consult with the SRO and project management teams to understand the project’s security risk appetite and what needs to be done to stay within it
Step 2: Capture the required people resources
For each task that has been identified, consider the skills required to deliver and oversee the security elements. Include people required as part of build processes and resources required for ongoing operational security.
State whether they should be:
- a permanent or temporary part of the delivery team
- shared resources sourced from the wider organisation
- contracted through third party vendors
The Secure by Design activity Agreeing roles and responsibilities will help you understand the tasks you should consider as part of digital cyber security.
It includes an example RACI (Responsible, Accountable, Consulted, Informed) matrix that shows how to assign duties to activities such as threat modelling, security risk management, security architecture and penetration testing.
Security training
If the skills needed to deliver the project need to be acquired or updated (for example, learning how to perform threat modelling), include details of how this training will be conducted, and who will be required to do it.
Consider that training (for example, education on protecting sensitive data or recognising phishing attempts) may be required for non-technical team members. This may already be available from within your organisation or the National Cyber Security Centre (NCSC).
Step 3: Capture the required technology resources
Consult with the wider organisation to assess the available security capabilities, software development environments and tools that will be required for the project.
Examples of common technology include:
- asset management systems
- identity and access management systems
- intrusion detection and prevention systems
- antivirus and anti-malware solutions
- secure network infrastructure
- dynamic application security testing (DAST)
- static application security testing (SAST) tools
If your project requires security technology that is not currently in use, discuss whether other teams or projects would benefit from it so resources can be shared.
Security policies, procedures and control frameworks
Review the existing security policies used within your organisation covering secure software development procedures, secure coding standards and acceptable use of technology.
If additional controls are required, include details of how these will be created, implemented and maintained throughout the project lifecycle.
Step 4: Document and share security resource needs
The output of this review should be a comprehensive list of the tasks required to deliver and maintain a secure service, the people involved during each project stage, and the associated technology.
Include as much detail as possible, for example how long each resource will be available for, whether it is available in-house, and the anticipated cost.
A clearly defined security resource plan should be made available to:
- the project management team
- those responsible for sourcing for the resources
- the organisation’s security operations team
- the information security assurance team
An edited version of this information may also need to be shared with suppliers who will be providing the people or technology required. This should explain how the security resources being procured are intended to fit into the wider context of the project, without providing the full details of the project’s security plan.