Tracking Secure by Design progress

The Secure by Design self assessment tracker aligns with the Secure by Design principles you need to meet throughout the service delivery life cycle. Delivery managers should integrate completion of the self assessment tracker into regular activities involving the relevant team members. This will allow your project to:

• maintain a live measure of confidence to reflect whether the delivery team is following the Secure by Design approach
• understand which security activities require action or attention
• add the necessary resources required to deliver activities into project plans
• enable transparency and clear communication across delivery teams and security professionals
• submit a confidence profile as part of the digital and technology spend controls approval process

The Secure by Design self assessment is designed to facilitate lightweight and continuous assurance discussions within project delivery. It should not replace existing security assurance practices within your organisation.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to embed continuous assurance.

Who is involved

Delivery managers within your project should be responsible for coordinating the completion and maintenance of the Secure by Design self assessment tracker as part of regular delivery processes. They will need to collaborate with technical and security teams, including your organisation’s Chief Information Security Officer (CISO) and Chief Technology Officer (CTO), to ensure the criteria has been met correctly and the appropriate evidence is available.

The project’s Senior Responsible Owner (SRO) and service owner should be consulted at key points in the development of the tracker, providing sign-off when it is being submitted for approval.

How to track Secure by Design progress

Step 1: Understand what the self assessment tracker is for

The tracker allows delivery teams within government departments and arm’s-length bodies (ALBs) to demonstrate how they are meeting the Secure by Design principles. It will provide you with a confidence profile (low, medium or high) applicable to the phase you are at within the service life cycle.

If your project is in scope for the digital and technology spend controls approval process, you will be asked two questions in relation to the tracker as you pass through the Get approval to spend service:

• whether you have completed this self assessment tracker
• if you have achieved a high security confidence profile

You do not routinely need to provide a copy of your completed tracker as part of the submission, but it may be requested subsequently by GDS as part of a follow-up review process.

If you have a low or medium security confidence profile, your assessors will discuss with your team which security requirements you have been unable to achieve and agree plans to put the necessary actions in place to improve the security posture of your service.

Step 2: Download the self assessment tracker and add project information

This is beta version 1.0 of the self assessment tracker. You can use the same self assessment tracker for each delivery stage.

1. Save the self assessment tracker to an appropriate folder in your file management system. It should be treated as an asset and so should only be accessible to those who need to view or contribute to it.
2. Open the tracker and go to the Project profile worksheet.
3. Add information about your project to the Project dashboard table. Use the dropdown in the Delivery phase field of the table (cell B16) to select the appropriate agile or waterfall delivery phase for your service. We also recommend adding information about the document itself to the Document control dashboard table (which begins in cell D12).

Step 3: Understand how the self assessment tracker works

For simplicity, the tracker uses agile phases for worksheet titles and the confidence profile, but if you’re using non-agile methods:

• discovery phase is equivalent to the requirements gathering stage
• alpha is equivalent to the design, build stage
• private beta is equivalent to the design, build, test, implement stage
• public beta or live is equivalent to the operate stage

In each of the phase worksheets (Discovery, Alpha, Private beta and Public beta or live), you’ll see a list of questions associated with recommended Secure by Design activities. The questions help track your progress through activities and each activity helps you meet one or more of the Secure by Design principles.

You’ll complete the tracker during the course of delivery by providing a response to each question, selecting from Yes, No or N/A (not applicable).

When you begin, by default the Project profile worksheet’s confidence profile dashboard will have a ‘Low’ status for each phase. You’ll see the same status in cell B2 of each of the phase worksheets.

Your responses to the questions will determine your overall security confidence profile. The more ‘Yes’ responses you select, the closer you’ll get to achieving a high confidence profile. The confidence profile status will change to reflect this in cell B2 of the phase you’re on and in the overall dashboard.

We’ve applied different levels of weighting to each response you select. Actions which are particularly important in achieving a high confidence profile have a heavier weighting.

If you select N/A as a response to any action, you should provide a note explaining why you’ve marked that item as unnecessary for your service at this phase. If you respond to too many questions with N/A, your security confidence profile will remain low, indicating that you have not completed enough activities to achieve a sufficiently secure service.

As part of the spend controls procress, you’ll need a high confidence profile to demonstrate that the digital service has been delivered according to Secure by Design principles.

Step 4: Provide a response to each question

As part of your regular project delivery process, add a response to each question in the worksheet that aligns to your delivery phase. To do this, use the dropdowns to answer Yes, No or N/A.

Many of the questions in the self assessment tracker use the second person (that is, they address ‘you’). For example, “Did you consult with business stakeholders when creating the impact assessment?” You should answer these questions on behalf of the project team; you do not have to have completed the activity personally.

The tracker has a Notes or evidence column where you are expected to add supporting information, such as an explanation of how the security requirement has been met, or a reference to where activity outputs can be found.

You do not need to provide links to documents. If you do, you must ensure that access has been set appropriately to maintain the security of the information you are referencing.

Step 5: Keep the self assessment tracker current

Include the maintenance of the self assessment tracker within your project delivery processes, updating the information to reflect new evidence or when there are significant changes in outputs already submitted.

You may be required to change a response from a Yes to a No if the evidence supplied no longer meets the criteria of the self assessment. If this affects the status of your confidence profile, ensure the relevant people within your project and organisation are made aware, then take the necessary steps to manage or mitigate the issue.

When starting a new delivery phase, it is possible to copy over notes or evidence from an earlier phase if the security requirement or implications remain unchanged.