Secure by Design Policy

1.1. All central government departments and arm’s-length bodies (ALBs) shall incorporate effective security practices based on the common government Secure by Design principles when delivering and building digital services and technical infrastructure.

2.1. The government’s Secure by Design principles provide the foundations for effective cyber security practices in digital delivery, leading to cyber resilient digital services that keep citizens and government safe. They aim to improve trust and data sharing between government organisations and improve security culture by making security everyone’s collective responsibility.

2.2. This policy sets out the mandatory requirements that affected organisations shall meet to implement this policy.

3.1. This policy is for everyone in central government departments and ALBs involved in the design and delivery of systems and services. This includes but is not limited to:

• Chief Digital and Information Officers (CDIOs) and Chief Technology Officers (CTOs)
• Senior Responsible Officers (SROs)
• Chief Information Security Officers (CISOs) and cyber security professionals responsible for advising on cyber security risk management and implementation of security policies, standards and procedures
• Product and delivery roles responsible for the development and delivery of secure digital services
• Programme and project management roles
• Software development roles responsible for developing secure software
• IT operations roles (DevOps)
• User-centred design roles
• Technical and security architects
• Commercial teams responsible for ensuring Secure by Design is included in relevant contracts

Organisations:

4.1. This policy applies to central government organisations and ALBs. It may also be optionally adopted by other parts of the public sector.

Digital services and infrastructure:

4.2. This policy applies to new or significant changes (for example those requiring a treasury business case or those where there is significant change to the cyber risk profile) to digital service and technology infrastructure either built within departments or procured through suppliers which are in scope of digital and technology spend controls approval process.

Out of scope:

4.3. This policy does not apply to digital services which are in operation or routine maintenance. Over time, it is expected that all digital services will either be retired or come into scope for this policy.

5.1. By not designing digital services with security in mind from the outset, there is an increased risk of data breaches and service disruption which could result in:

• 5.1.1. reputational damage to government organisations and loss of public trust.
• 5.1.2. loss of management’s ability to effectively govern or operate the service or organisation.
• 5.1.3. negative impact on the operation of government’s essential functions and delivery of public services.
• 5.1.4. legal liability and regulatory penalties for government organisations if a data breach is found to have been caused by government personnel.
• 5.1.5. costs related to fixing the vulnerabilities and implementing additional security controls to prevent repeat occurrences.

This policy contains both mandatory and advisory elements using the same language as Functional Standard GovS 007: Security.

• shall means a requirement: a mandatory element
• should means a recommendation: an advisory element

The requirements in this section are directly linked to the published Secure by Design principles. Central government organisations and ALBs shall meet these requirements.

6.1. Create responsibility for cyber security risk by:

• 6.1.1. ensuring the business case(s) encompassing the delivery of digital services or technical infrastructure incorporate cyber security considerations.
• 6.1.2. designating an executive leadership role (such as the CDIO or equivalent) with overall accountability for the adoption of Secure by Design within the organisation.
• 6.1.3. designating a senior leadership role (such as the SRO, service owner or equivalent) with overall accountability for the management of cyber security risks of digital services and technical infrastructure during their delivery.
• 6.1.4. ensuring the senior leadership role has visibility of key cyber security risk decisions made throughout the digital service delivery lifecycle.
• 6.1.5. regularly identifying and allocating the cyber security responsibilities required for the delivery of the digital service and technical infrastructure.
• 6.1.6. ensuring sufficient and suitable resources are made available to manage cyber security risks throughout the digital service lifecycle, and are given the support necessary to carry out their duties.
• 6.1.7. incorporating requirements for Secure by Design within commercial contracts for suppliers.

6.2. Source secure technology products by:

• 6.2.1. carrying out security reviews on third-party products before they are implemented.
• 6.2.2. mitigating any security risks associated with using third-party products to a level that meets the organisation’s and project’s security risk appetite.
• 6.2.3. ensuring any third-party products meet the relevant security obligations, regulations, and industry security standards.
• 6.2.4. making balanced decisions on the trade-off between security and usability.

6.3. Adopt a risk-driven approach when delivering digital services by:

• 6.3.1. agreeing the security risk appetite for the digital service and sharing this across the delivery teams.
• 6.3.2. documenting and prioritising the cyber security related legal, regulatory and contractual requirements that must be met by a digital service.
• 6.3.3. carrying out threat modelling to understand how potential threats apply to the digital service and infrastructure as the service evolves.
• 6.3.4. carrying out security risk assessments and managing identified risks during the service lifecycle in line with the organisation’s approach to security risk management.
• 6.3.5. communicating residual security risks to the accountable individuals and security function for incorporating these into the organisation’s risk registers.

6.4. Design usable security controls by:

• 6.4.1. taking into account security-related user needs discussed in user research or captured in user stories and journeys when designing security controls.
• 6.4.2. taking into consideration business objectives included in the business case when designing security controls.

6.5. Build detect and respond mechanisms for cyber security vulnerabilities by:

• 6.5.1. implementing appropriate security logging, monitoring and alerting mechanisms to discover cyber security events and vulnerabilities.
• 6.5.2. embedding effective incident response and recovery capabilities in the service design and delivery team processes.
• 6.5.3. regularly testing digital services and infrastructure to identify and fix weaknesses within systems before they can be exploited.

6.6. Design flexible architectures by:

• 6.6.1. using components that allow integration of new security measures in response to changes in business requirements, cyber threats and vulnerabilities.
• 6.6.2. using risk-based and adaptable security architectures (for example, zero trust architectures).
• 6.6.3. testing security controls and verifying they are fit for purpose before deployment.

6.7. Minimise the attack surface by:

• 6.7.1. implementing network security measures such as network segmentation to limit the lateral movement of attackers.
• 6.7.2. implementing baseline security controls, such as least privilege, anti-malware, endpoint detection and response, intrusion detection / prevention, and application allowlisting or denylisting.
• 6.7.3. following secure coding practices and acting upon any relevant findings from security tests, reducing any opportunities for potential attackers to exploit vulnerabilities.
• 6.7.4. mitigating security risks to a level that is within the acceptable risk appetite before a digital service goes live.
• 6.7.5. retiring service components securely when they are no longer needed, or at the end of their lifecycle.

6.8. Defend in depth by:

• 6.8.1. creating layered controls across a digital service so it’s harder for attackers to fully compromise the system if a single control fails or is overcome.
• 6.8.2. implementing mechanisms to keep the impact of potential security incidents contained.
• 6.8.3. testing security controls and verifying they are fit for purpose before deployment.

6.9. Embed continuous assurance by:

• 6.9.1. testing security controls regularly to ensure they operate effectively and that no known vulnerabilities exist.
• 6.9.2. reassessing controls against changes in the service or threat landscape.
• 6.9.3. ensuring the service is built and maintained with the appropriate controls required to mitigate security risks.
• 6.9.4. keeping track of adherence with Secure by Design principles throughout the digital service lifecycle.
• 6.9.5. providing accountable individuals and risk owners with regular evidence that security controls and capabilities are operating as intended.

6.10. Make changes securely by:

• 6.10.1. assessing the security impact of changes before these are made to digital services and infrastructure.
• 6.10.2. recording any residual unmitigated risks to the cyber security risk register and sharing this with the accountable individuals and security function responsible for incorporating these into the organisation’s risk registers.

7.1. Organisations shall ensure a risk-based approach to implementation, proportionate to the prevailing level of cyber risk and in line with their organisation’s business objectives and priorities.

7.2. Organisations have the flexibility to decide how to meet the requirements of this policy within practicable timescales.

7.3. Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed with appropriate risk mitigations put in place in line with the organisation’s risk tolerance. Organisations shall work towards future compliance in line with their business objectives and priorities.

7.4. Compliance to the requirements of this policy shall be reviewed through the digital and technology spend controls approval process. Sufficient compliance shall be demonstrated by achieving a “high” security confidence profile in the Secure by Design self assessment tracker.

8.1. This policy is supported by and relates to the:

• Functional Standard GovS 007: Security, which sets expectations for the security activities organisations must carry out to protect government assets.
• Cyber Security Standard, which defines the cyber security outcomes organisations must meet and the assurance process they must follow. Note that Secure by Design is a mandatory element of the standard.
• the government Cyber Security Policy Handbook, which provides a collection of policies and guidance to help organisations achieve their Cyber Assessment Framework (CAF) profiles.
• the Secure by Design approach, which sets out the indicative activities project teams and security professionals need to do to incorporate effective cyber security practices in digital delivery.
• relevant security directives from the Government Chief Security Officer or government ministers
• National Cyber Security Centre (NCSC) guidance on good security practices.

9.1. The requirements described in this policy will help government organisations achieve the required security outcomes in the NCSC Cyber Assessment Framework (CAF) with the exception of:

• 9.1.1. B1 – Service protection policies and processes
• 9.1.2. B6 – Staff awareness and training
• 9.1.3. D1 – Response and recovery planning
• 9.1.4. D2 – Lessons learned