Tracking Secure by Design progress
When delivering a service you should establish a Secure by Design confidence profile at the beginning of the project and maintain it as the service evolves.
A self assessment tracker has been developed which aligns with the Secure by Design principles you need to meet throughout the service lifecycle. Delivery managers should integrate completion of the self assessment into regular delivery activities involving the relevant team members. This will allow you to:
- maintain a live measure of confidence to reflect whether the delivery team is following the Secure by Design approach
- understand which security activities require action or attention
- add the necessary resources required to deliver activities into project plans
- enable transparency and clear communication across delivery teams and security professionals
- submit a confidence profile as part of the digital and technology spend controls approval process
The Secure by Design self assessment is designed to facilitate lightweight and continuous assurance discussions within project delivery. It should not replace existing security assurance practices within your organisation.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to embed continuous assurance.
Who is involved
Delivery managers within your project should have responsibility for completing and maintaining the Secure by Design self assessment tracker and ensuring this happens as part of regular delivery processes. They will need to collaborate with technical and security teams, including their organisation’s Chief Information Security Officer (CISO), to ensure the criteria has been met correctly and the appropriate evidence is available.
The project’s Senior Responsible Owner (SRO) and service owner should be consulted at key points in the development of the tracker, providing sign-off when it is being submitted for approval.
How to embed a continuous assurance process
Step 1: Understand what the self assessment tracker is for
This tracker allows delivery teams within government departments and arm’s-length bodies (ALBs) to demonstrate how they are meeting the Secure by Design principles. It will provide you with a confidence profile (low, medium or high) applicable to the phase you are at within the service lifecycle. If your project is in scope for the digital and technology spend controls approval process, this tracker must be submitted to the Cabinet Office with support from your internal assurance teams.
You should use this tracker from the start of your project and continue updating it throughout the delivery of the digital service. Each service should have a single self assessment that can be updated throughout its lifecycle.
Step 2: Download the self assessment tracker
This tool is an alpha prototype that is currently being assessed and improved.
Select a preferred self assessment tracker format
Populate the ‘Project Profile’ tab with the necessary information. Save it to an appropriate folder within your file management system. It should be treated as an asset and therefore only be accessible to those who need to view or contribute to it.
Step 3: Familiarise yourself with how the self assessment tracker works
The tracker contains tabs that relate to project phases:
- Discovery Phase – equivalent to the requirements analysis stage in non-agile projects
- Alpha or Private Beta Phase – equivalent to the design, build, test and implement stages in non-agile projects
- Public Beta or Live Phase – equivalent to the maintenance stage in non-agile projects
Within each of these is a series of questions that map to Secure by Design principles.
Your response to each question will affect your overall security confidence profile. This will be shown as low, medium or high on each tab. By responding positively to each question, you will be able to achieve the required High confidence profile to use in the Cabinet Office digital and technology spend controls assurance process.
It is important to note that a High confidence profile does not necessarily mean that your service is secure. The confidence profile provides a way to continuously monitor adherence to Secure by Design principles, but it does not replace the need for security assurance practices within organisations. It is not a risk register, a risk treatment plan or a risk management report.
Step 4: Complete the questions in the self assessment tracker
At the appropriate points within your project delivery, work through the questions in the tab that’s relevant to your current project stage and provide:
- a response – Yes, No, or I don’t know (Not applicable is also an option on some questions)
- the appropriate supporting evidence
Your supporting evidence should be a clear and concise explanation of how the security requirement has been met, or a link to an output such as a risk assessment report or risk treatment plan.
When providing links to documents, ensure that access has been set appropriately to maintain the security of the information you are referencing.
Step 5: Keep the self assessment tracker current
Include the maintenance of the self assessment within your project delivery processes, updating the information to reflect new evidence or when there are significant changes in outputs already submitted.
You may be required to change a response from a ‘Yes’ to a ‘No’ if the evidence supplied no longer meets the criteria of the self assessment. If this affects the status of your confidence profile, ensure the relevant people within your project and organisation are made aware, then take the necessary steps to manage or mitigate the issue.
When moving between service delivery phases, you will see some questions appearing on more than one tab. This is to ensure that the outputs are refreshed and reconsidered by delivery teams, risk owners and assurance teams for their suitability as the service evolves through its lifecycle. It is possible to repeat the response from an earlier phase if the security requirement or implications remain unchanged.
Share the information with your delivery team, business risk owners and your organisation’s security function so it can be factored into project planning and decision making.