Considering security within the business case
When preparing a business case, cyber security requirements must be included so the appropriate funding, resources, skills and time can be allocated to effectively manage cyber security risks.
By including security within a business case you will:
- ensure the true cost and effort involved in protecting the service are clear from the start of the project
- reduce the potential of your project being rejected or delayed due to security risks
- put processes in place to deliver an appropriately secure service that protects user information
- create a foundation for adopting secure practices throughout digital delivery so you can achieve your GovAssure profile
As services develop from idea to implementation, different types of business cases may be required covering scoping, planning and procurement. Security considerations should be included at every stage, with steps taken to review and refine them as the project matures.
Completing this activity will help you to achieve the outcomes included in the Secure by Design principles to create responsibility for cyber security risk, adopt a risk-driven approach, design usable security controls and embed continuous assurance.
Who is involved
The Senior Responsible Owner (SRO) and service owner should work together with a business analyst to agree on the service characteristics and understand the security considerations to be included in the business case.
To complete all sections of the business case, you should seek input from your Chief Technology Officer (CTO), Chief Information Security Officer (CISO) and technical security assurance teams.
How to include security within the business case
Government business cases consist of five elements, as explained in The Green Book. The outline below shows how Secure by Design principles should be applied within each to demonstrate you have considered and forecasted the relevant security requirements.
The security policies and standards that need to be included within a business case will depend on your organisation’s GovAssure profile, and whether the service is part of Critical National Infrastructure.
Step 1. Establish the strategic case
At this stage you demonstrate the need for change and show how the proposal fits with local, regional and national policies and targets. Cyber security elements should include:
- a statement outlining the project’s security risk appetite
- an overview of the security obligations (policy, legal, regulatory and contractual) being met
- a summary of business and user needs, and the security controls required to satisfy them
- a high-level assessment of the threats that may compromise or disrupt your service – keep the sensitivity of these relevant to the classification of the business case
Step 2. Establish the economic case
At this stage you will explain how you are providing the best public value to society. Cyber security elements should include:
- information on the potential impact of security threats and details of how success factors used to assess resilience against security attacks will be substantiated
- details of how making security integral to a project’s scope, solution, service delivery and implementation represents good value for money
Step 3. Establish the commercial case
At this stage you outline the relationship between the public sector and service providers. Cyber security elements should include:
- details of support required from third-party products and the security due diligence that will be undertaken
- information on how security requirements will be incorporated into procurement contracts
Step 4. Establish the financial case
At this stage you set out the affordability and preferred funding model. Cyber security elements should include:
- projections for the appropriate security resources (people and technology) required over the full service lifecycle, including contingencies for changes to the threat landscape
Step 5. Establish the management case
At this stage you describe the delivery, monitoring and evaluation structure. Cyber security elements should include:
- an allocation of roles and responsibilities for security stakeholders and details of how security will be governed for the service
- processes for identifying, assessing and mitigating security risks, including those presented by third party products
- details of how the security impact of changes will be evaluated and managed
- plans for assessing the effectiveness of the security control design and operation throughout the delivery lifecycle