The Central Digital and Data Office (CDDO) has published a cross-government approach for the implementation of ‘secure design’ principles for digital systems.
It outlines the principles and a set of design activities for government departments and arm’s length bodies, emphasising that the approach is a strategic priority in Government Cyber Security Strategy and Transforming for a digital future roadmap.
The move comes soon after Deputy Prime Minister Oliver Dowden announced that secure by design has become mandatory for central government systems.
Secure by design involves security strategies, tactics and patterns being considered at the beginning of a software design and the selected ones being used as principles for developers. It also involves security being a responsibility of everybody within a project team.
The document for the approach sets out 10 principles, including creating responsibility for any cyber security risks, designing usable security controls, minimising the attack surface and embedding continuous assurance.
It adds that that project teams will need to provide a self-assessment as evidence of applying the principles when taking part in the spend controls approval process.
Advice on activities
The design activities – which are advisory – cover preparing a secure service, understanding the security landscape, managing cyber security risks, anticipating and responding to incidents, and maintaining continuous assurance.
Introducing the approach in a blogpost, CDDO’s head of securing digital transformation, Fotini Tsekmezoglou, said the organisation is working on an indicative implementation model to help others integrate the approach into their own practices.
It is also planning to share other resources including a gap analysis template and generic transition and communication plans.
“We’re very much on a journey with secure by design,” she added. “We expect to continue refining the approach in light of organisations’ experiences with the approach and further discovery work in the future.”