Guide to adopting Secure by Design – Preparation
The objective of this phase is to plan, design and make improvements to current processes and capabilities so your organisation is able to meet the Secure by Design policy and support projects to implement the Secure by Design approach.
Assign accountability for Secure by Design to senior leaders
The Chief Digital and Information Officers (CDIOs), or equivalent, who lead on digital strategy and delivery should be accountable for the adoption of the Secure by Design approach across the organisation.
Collaborating with the organisation’s Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs) and the Senior Responsible Officers (SROs) and service owners on project teams, they will:
- ensure the organisation meets the Secure by Design policy
- ensure project delivery teams meet the Secure by Design principles
- raise awareness and promote the benefits of Secure by Design among executive committees and senior leadership teams
- establish Secure by Design as a shared responsibility between digital, technology and security
- help teams understand their roles and responsibilities related to Secure by Design
- sponsor the required changes for integrating Secure by Design across the organisation
Using the example RACI matrix as a starting point, agree who will take on key accountabilities and update job descriptions to reflect the changes in affected roles.
- Share the Secure by Design for senior leaders video
Appoint a Secure by Design champion
Having a champion who works with stakeholders across your organisation will provide the momentum required to drive the adoption of Secure by Design.
The champion does not necessarily need to be a cyber security expert, but they should have a good understanding of the Secure by Design approach and be able to effectively communicate this to others.
They will need to:
- be a central point of contact with the Central Digital and Data Office (CDDO) team
- promote the importance of Secure by Design within their organisation and generate support from others
- establish and run a Secure by Design working group
- produce a Secure by Design transition plan
- report progress towards milestones to senior leaders and internal governance forums
Provide details of your champion to Cabinet Office CDDO Secure by Design team (secure-by-design@digital.cabinet-office.gov.uk) and request a kick-off meeting to discuss support requirements for your organisation.
- Agree on a schedule for regular meetings with the CDDO Secure by Design team
- Share the About Secure by Design video with your champion to give them an understanding of the basic approach
Establish an internal Secure by Design working group
A working group formed of representatives from teams affected by the Secure by Design approach (such as digital and data, project delivery, cyber security, risk management, assurance and commercial) is an essential part of adopting Secure by Design across an organisation.
Your champion should lead this initiative, organising the programme of activity and ensuring the necessary leadership and resources are available to facilitate progress.
The group will help to:
- encourage collaboration and knowledge sharing among stakeholders from various workstreams
- create alignment between Secure by Design and organisational goals
- establish accountability by defining roles and responsibilities for implementing Secure by Design best practice
- monitor progress towards milestones
- address any issues that arise during the implementation phases
Set up an initial meeting, using the session as a platform to share essential information about Secure by Design, using material provided by CDDO which can be tailored to your organisation.
- Agree on a schedule for regular meetings with your working group
- Share the About Secure by Design video with your working group to give them an understanding of the basic approach
Produce a Secure by Design engagement plan
A fundamental objective of Secure by Design is to make cyber security everyone’s collective responsibility.
The example RACI matrix outlines which roles could be involved in Secure by Design activities throughout the digital delivery lifecycle, but your whole organisation should be encouraged to understand the principles of cyber security.
Organisations should work to assess current levels of knowledge within their teams and use appropriate communication channels (such as onboarding material, messaging groups and internal newsletters) to increase awareness and understanding.
Develop a schedule showing what information you need to share with teams throughout the implementation phases. Include details of how and when this will be done.
- The Secure by Design Communication Toolkit includes resources (including presentations slides, a factsheet and quiz) that provide an overview of the approach and details about how teams can adopt Secure by Design. They can be adapted so they’re relevant to your organisation.
Regular online sessions led by cyber security experts from Cabinet Office CDDO provide an opportunity for teams to ask questions and share issues related to implementing Secure by Design.
- Details of surgery schedules and how to attend will be shared with the champions from each organisation and posted on the xgov-secure-by-design-implementation Slack channel.
Understand your organisation’s current Secure by Design state
It’s crucial to understand the cyber security practises your organisation currently has in place to help guide and support the security efforts of teams delivering digital services. A common approach to core security activities (such as determining risk appetites, threat modelling, and technical risk assessments) will allow delivery teams to produce consistent outputs more efficiently.
Produce a readiness assessment by conducting a lightweight review of your existing cyber security capabilities against the Secure by Design principles and activities. Organisations that fall within the scope of GovAssure can use evidence already collected as part of that process to complete this review. This aim of this activity is to identify necessary improvements and establish associated timelines, which can then be integrated into your transition plan.
This should be managed by your Secure by Design champion with input from the working group and other relevant colleagues. It contains fields for you to indicate which principles and respective requirements you meet, and how mature the existing cyber security practices are in relation to the activities.
- Download a Secure by Design preparation checklist
Produce a transition plan
Organisations need to outline the steps necessary to move from their current state to achieving all the requirements of Secure by Design. A detailed roadmap will help to ensure this transition is managed effectively and efficiently.
Each organisation’s plan will be different depending on the areas identified as requiring improvement in their preparation checklist. The following headings could provide a useful structure for producing a clear and actionable plan:
- Relevant stakeholders and their roles
- Elements in scope of Secure by Design
- Goals, objectives and milestones
- Specific tasks and timelines
- Resource allocation
Regular progress reports should be communicated with the organisation so teams can be confident that milestones are being met and issues can be addressed as they arise.
This should be developed using the project management tools preferred by your organisation. Work with delivery and project managers, your PMO and others to embed Secure by Design into existing processes.
- Support is available from CDDO via your Secure by Design champion to help ensure your organisation’s transition plan covers all the necessary elements
Update your internal policies and processes with Secure by Design requirements
Ways of working across your organisation need to be updated to reflect the Secure by Design policy.
This may include digital standards, network access policies, data policies, hardware policies, governance structures, and any other process used by teams that have cyber security implications.
Champions should work with their organisation’s project management office to ensure Secure by Design requirements are referenced within assurance criteria, guidance and templates used across the delivery of digital services.
Collate a list of documentation across your organisation where Secure by Design is relevant. Add these to your transition plan with details on what needs to be updated and who is involved in making the necessary changes.
- Support is available from CDDO via your Secure by Design champion to help identify which policies may be affected and what updates may be necessary
Review the governance forums across your organisation to understand whether Secure by Design progress reports can be included within an existing structure or if a new oversight process is required.
Agree pilot projects for trialling Secure by Design
Your transition plan should be tested in a real-world scenario before applying it across all in-scope projects.
This will allow you to gather data and feedback from those involved to help you:
- see if the processes you have planned are effective
- check that your resource assumptions are correct
- monitor whether the appropriate responsibilities have been assigned to leadership and delivery roles
The Secure by Design policy applies to new services and significant changes to services that fall into scope of the digital and technology spend controls approval process. Projects that meet this criteria are good candidates to use for testing.
Review the project pipeline with project managers in your organisation to identify suitable options to discuss within your working group.
You may choose to deploy your trial across multiple projects in order to test processes during discovery, alpha and beta delivery phases.
- Support is available from CDDO via your Secure by Design champion to help ensure your pilot can provide you with the knowledge required before a full implementation