Summary
Understand what data and information your service will be collecting from users, and how this will be stored and used. Identify and address security threats, legal responsibilities, confidentiality, privacy issues, and risks associated with the service. Consult experts where you need to.
A secure service also includes, but is not limited to, consideration of how to handle policy, money, safeguarding and future DfE strategy information.
Why it's important
DfE handles personal and sensitive information (opens DfE intranet) about users, children's services, and education.
We have a legal duty to protect personal and sensitive information. Failing to do so would undermine public trust in DfE services.
DfE service and project teams must understand the importance of protecting the confidentiality, integrity, and availability of sensitive information. This includes being aware of risks that reduce the security of the information, and taking action to mitigate.
How to meet this standard in every phase
You'll be assessed on what you've done to meet this standard at service assessments. However, even if the service you're working on is not being assessed, it's good practice to consider how you'll meet this standard point.
Discovery
Things to consider:
- building an awareness of DfE security policies (opens DfE intranet) and recognizing which ones relate to the service
- evidence that there has been engagement with Information Security and a response has been received to indicate how security assurance (opens DfE intranet) should proceed
- evidence that a Data Protection Impact Assessment (DPIA) (opens DfE intranet) has been started, where necessary
- evidence that a Departmental Security Assurance Model (DSAM) process (opens DfE intranet) has been started
- a plan that details headline General Data Protection Regulation (GDPR) (opens DfE intranet) requirements
- identify the minimum personal information you need from users to provide the service
- whether the service needs identity assurance or authentication
- if the service needs identity assurance or authentication, consider your approach to identifying and evaluating assurance and authentication methods that balance risks in a proportionate way, for example, using common components, such as DfE Sign-in
Things to avoid in discovery
- not engaging with Information Security early in the process
- overlooking the need for a DPIA or other security assessments
Alpha
Things to consider:
- continue to work on the DPIA, where relevant
- demonstrable evidence that the service you want to build is technically feasible and meets required security standards
- if delivery and security are two competing risks, speak to your Senior Responsible Officer (SRO) to discuss impact and requirements
- explore security anti-personas or bad actors for the service, if relevant
- tech choices and common components you might use when you build your service
- a plan for how the findings from checking technical feasibility and security compliance will be addressed in beta
- how to protect users and the service from fraud
- the use of cookies in the service
- how you will manage and own risks through risk registers and applying information assurance best practices
Things to avoid in alpha
- ignoring the importance of balancing delivery speed with security
- overlooking the technical feasibility of security requirements
Beta and live
Things to consider:
- evidence of addressing findings from alpha
- findings of DPIA are being addressed
- before going into private beta, do a penetration test if the service is a new service or a significant change is made to a new service. A significant change could be a change in scope, storing more data, or opening up to customers
- residual security risks and mitigations have been raised and assigned
- demonstrable evidence of how services and data storage will be secured to prevent data loss, corruption, and availability concerns, among others
- how you've tested your service to ensure it doesn't expose security risks, for example, testing against OWASP Top 10
- use of common components, such as DfE Sign-in if authentication is required, to secure your service
- creating an asset register for the service
- evidence that all risks to security have been addressed when moving from beta to live
- evidence that the security controls implemented are compliant with department standards
- how you will eventually decommission the service. Consider if the service is needed for a specific time, or whether it's needed for longer
- consider archive or retention policies and access requirements
- how to support Freedom of Information (FOI) requests or Subject Access Requests (SARs)
- security and vulnerability issues with any systems that aren't being actively monitored or maintained
Things to avoid in beta and live
- not addressing all security findings before moving to the next phase
- failing to plan for the decommissioning and long-term management of the service
Profession specific guidance
Each DDaT profession in DfE has their own community and guidance.