Tracking Secure by Design progress

A self assessment tracker has been developed which aligns with the Secure by Design principles you need to meet throughout the service delivery lifecycle. Delivery managers should integrate completion of the self assessment tracker into regular activities involving the relevant team members. This will allow you to:

• maintain a live measure of confidence to reflect whether the delivery team is following the Secure by Design approach
• understand which security activities require action or attention
• add the necessary resources required to deliver activities into project plans
• enable transparency and clear communication across delivery teams and security professionals
• submit a confidence profile as part of the digital and technology spend controls approval process

The Secure by Design self assessment is designed to facilitate lightweight and continuous assurance discussions within project delivery. It should not replace existing security assurance practices within your organisation.

Completing this activity will help you to achieve the outcomes included in the Secure by Design principle to embed continuous assurance.

Who is involved

Delivery managers within your project should be responsible for coordinating the completion and maintenance of the Secure by Design self assessment tracker as part of regular delivery processes. They will need to collaborate with technical and security teams, including your organisation’s Chief Information Security Officer (CISO) and Chief Technology Officer (CTO), to ensure the criteria has been met correctly and the appropriate evidence is available.

The project’s Senior Responsible Owner (SRO) and service owner should be consulted at key points in the development of the tracker, providing sign-off when it is being submitted for approval.

How to track Secure by Design progress

Step 1: Understand what the self assessment tracker is for

This tracker allows delivery teams within government departments and arm’s-length bodies (ALBs) to demonstrate how they are meeting the Secure by Design principles. It will provide you with a confidence profile (LOW, MEDIUM or HIGH) applicable to the phase you are at within the service lifecycle. If your project is in scope for the digital and technology spend controls approval process, this tracker must be submitted to the Government Digital Service (GDS) with support from your internal assurance teams.

That process is facilitated by the Get approval to spend service, where you will be asked:

• whether you have completed this self assessment
• if you have achieved a HIGH security confidence profile

You do not need to provide a copy of your tracker as part of the submission, but it may be requested as part of the follow-up review process.

If you have a LOW or MEDIUM security confidence profile, your assessors will discuss with your team which security requirements you have been unable to achieve and agree plans to put the necessary actions in place to improve the security posture of your service.

Step 2: Download the self assessment tracker

This tool is version 2 of an alpha prototype that is currently being assessed and improved. Each digital service should have a separate self assessment for each delivery stage.

Populate the ‘Summary’ tab with the necessary information. Save it to an appropriate folder within your file management system. It should be treated as an asset and therefore only be accessible to those who need to view or contribute to it.

Step 3: Understand how the self assessment tracker works

Use the dropdown tool in the ‘Summary’ tab to select the appropriate agile or waterfall delivery phase for your service. If your project is using non-agile methods, choose the option that maps most closely to your current delivery phase:

• Discovery Phase – equivalent to the requirements analysis stage in non-agile projects
• Alpha or Private Beta Phase – equivalent to the design, build, test and implement stages in non-agile projects
• Public Beta or Live Phase – equivalent to the maintenance stage in non-agile projects

In the ‘Self Assessment Actions’ tab is a list of actions associated with recommended Secure by Design activities. Those marked as required will differ depending on the delivery phase selected. Complete the tracker during the course of delivery by providing a response to each action, selecting from “Yes”, “No” or “N/A” (not applicable).

Your responses will be reflected on the progress charts within the ‘Summary’ tab. These are displayed in relation to activities and the Secure by Design principles they are mapped to. Some activities relate to more than one principle, so you may see different completion rates on each chart.

Your total “Yes” responses will determine your security confidence profile. This will be shown on the ‘Summary’ tab as LOW, MEDIUM or HIGH. Weighting has been applied to certain actions during each delivery phase to indicate those which are particularly important to achieving the necessary security levels.

If you select “N/A” as a response to any action, you will be prompted to provide a note explaining why that item has been marked as unnecessary for your service at this phase. If you mark too many actions as “N/A”, your security confidence profile will be set as INVALID which indicates that not enough activities have been completed to achieve a sufficiently secure service.

A HIGH confidence profile is required to demonstrate that the digital service has been delivered in accordance with the Secure by Design principles.

It is important to note that a HIGH confidence profile does not necessarily mean that your service is secure. The confidence profile provides a way to continuously monitor adherence to Secure by Design principles, but it does not replace the need for security assurance practices within organisations. It is not a risk register, a risk treatment plan or a risk management report.

Step 4: Provide a response to each required action

As part of your regular project delivery process, update your responses to each required action.

Each action is associated with a Secure by Design activity that provides an explanation of why it is necessary and the steps required to achieve the intended outcome.

A ‘Notes or evidence’ column is provided where you can add supporting information, such as an explanation of how the security requirement has been met, or a reference to where activity outputs can be found.

It is not necessary to provide links to documents. If you do, you must ensure that access has been set appropriately to maintain the security of the information you are referencing.

It is possible for teams to provide responses to questions that are not specifically marked as required for each delivery stage. This will allow teams to demonstrate that they have over-delivered on the standard set of security requirements, however these responses do not directly influence the overall security confidence score.

Step 5: Keep the self assessment tracker current

Include the maintenance of the self assessment within your project delivery processes, updating the information to reflect new evidence or when there are significant changes in outputs already submitted.

You may be required to change a response from a “Yes” to a “No” if the evidence supplied no longer meets the criteria of the self assessment. If this affects the status of your confidence profile, ensure the relevant people within your project and organisation are made aware, then take the necessary steps to manage or mitigate the issue.

When starting a new delivery phase, it is possible to copy over responses and evidence from an earlier phase if the security requirement or implications remain unchanged.

Share the information with your delivery team, business risk owners and your organisation’s security function so it can be factored into project planning and decision making.