Understanding cyber security obligations

These include government policies, regulations, laws, and contracts, and will differ depending on the nature of the service and the type of data it handles.

By understanding and adhering to these responsibilities, you will be able to:

• adapt how you build and deliver your service to conform to requirements
• interoperate with other services more effectively by ensuring you are compliant with law and regulations
• avoid possible penalties or sanctions

This should be done during the discovery or requirement gathering phase of a project so you can include the relevant information from the business case and incorporate requirements into the service design. Regular compliance monitoring that reflects the latest policies and regulations should continue throughout the project lifecycle.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to adopt a risk-driven approach and embed continuous assurance.

Who is involved

The people establishing which regulations are relevant to the project should be your Senior Responsible Owner (SRO), service owner, product manager and business analyst.

Your organisation’s legal, commercial and information management teams should be consulted to understand the relevant compliance requirements. Others within your team may also be able to provide information including your Chief Technology Officer (CTO), Chief Information Security Officer (CISO), technical architect and security advisor.

How to understand cyber security obligations

The following steps provide a guide for capturing and sharing your digital service’s security obligations profile.

Wherever possible, the focus of this activity should be on implementing the analysis of cyber security obligations already available within your organisation, rather than conducting your own research.

Step 1: Analyse cross-government and internal policies

Work with colleagues to assess:

• the organisation policies that need to be considered as part of your digital service
• the relevant requirements included in the Government Cyber Security Policy Handbook

A security policy framework is available for government departments planning to host OFFICIAL services or store data outside the UK. It outlines requirements to assess the risks that may arise from incompatible approaches to data protection.

Email gsgcyber@cabinetoffice.gov.uk to request this document.

Step 2: Review external laws and regulations

Work with colleagues in central department policy teams to confirm the cyber security and data protection laws and regulations that apply to your service. These could include:

• Data Protection Act (2018) – if the service stores, transmits or processes personal information
• Computer Misuse Act (1990) – relevant to preventing unauthorised access to data
• Freedom of Information Act (2000) – if the service records information that may be subject to a public request
• Network and Information Systems Regulations (2018) – relating to measures taken to ensure the security of essential services and infrastructure
• UK-US Data Access Agreement – if the service collects information that may need to be made available to organisations based in the US
• Payment Card Industry Data Security Standard – if your service takes payment from users through online transactions

This is not an exhaustive list and may not cover all the requirements that you might need to consider for your service. You should engage with your organisation’s legal and information assurance teams to understand what law and regulations might be relevant to your service.

For services classified as Critical National Infrastructure, the National Protective Security Authority (NPSA) and National Cyber Security Centre (NCSC) are able to provide advice on regulatory requirements.

Step 3: Check contracts with third parties

Consult with colleagues to identify cyber security clauses in contracts that apply to the digital service. These obligations could include responsibilities and requirements for:

• data encryption
• security audit frequency
• incident response plans
• compliance with industry-specific regulations

This needs to be completed for existing contracts already in place and any new contracts that are adopted as part of the service.

All contracts have obligations for both the customer and provider of the service which you should be aware of. You are expected to use the product or service in the way it was intended, while they need to supply the level of service that has been agreed.

When signing up to use a digital service there will usually be a standard set of terms and conditions that should be assessed for security risks before accepting. If these do not meet your risk appetite but you still wish to use the service, consider whether it is practical or reasonable to work with the supplier to modify them. This won’t be possible for all contracts and you will need to decide whether to accept the risks, mitigate them, or explore alternative options.

For third party contracts where there’s a more collaborative relationship, there will be an opportunity to present them with your organisation’s terms and conditions provided by your legal team. Rather than using a standard contract that covers every conceivable security obligation from previous related contracts, make sure these are tailored to an efficient set of obligations that are non-duplicative and relevant to the service.

Step 4: Record your cyber security obligations

Collate a list containing all the relevant cyber security policy, legal, regulatory and contractual requirements from the previous three steps.

Assess them to establish:

• the security implications, including what security controls need to be put in place to meet each requirement
• how obligations should be prioritised when building and delivering a digital service, taking into account the security risk appetite and consequences of non-compliance
• who needs to be assigned responsibility for ensuring the requirements are met, both during delivery and as the live service evolves

This should become an integral part of ensuring security is managed effectively throughout the lifecycle of the project, providing the relevant information to feed into risk assessments and a checklist to go through when implementing security controls.

Relevant details should be made available to:

• people responsible for managing service delivery risks, such as SROs and service owners
• people responsible for assessing cyber security risks and designing security controls, such as technical architects, security architects and developers
• commercial teams responsible for managing compliance with contracts
• those involved with making changes to the live service when legal or regulatory requirements change
• users of the service through a published privacy policy and terms and conditions they agree to when creating an account