Guidance

Make things secure

Keep systems and data safe with the appropriate level of security.

• From: Central Digital and Data Office
• Published: 6 November 2017
• Last updated: 31 March 2021 — See all updates

To meet point 6 of the Technology Code of Practice (TCoP) your plans must show how you are securing data and systems.

If you’re going through the spend control process you must explain how you’re meeting point 6.

How meeting security requirements helps your programme

By securing your technology you will:

• reduce the risk and impact of security threats
• improve risk mitigation
• improve your network’s average time to recovering after an incident (known as the mean time to recovery)
• align with the Security policy framework, Security classification policy, and Minimum Cyber Security Standard

Assess your security and resources

You must consider security from the start of your technology programme, and for your service as a whole. Before you start, consider the following questions:

1. What security risks does your programme have?
2. Will your programme use or collect sensitive data?
3. How will your programme’s security interact with other systems?
4. How will your programme’s security integrate with your organisation’s departmental security and processes?
5. How will your programme’s security meet the Minimum Cyber Security standard and go beyond that standard where needed?
6. Do you have access to the security expertise and skills you need?
7. How will you source the security expertise and skills you need?
8. What changes to your organisation’s security documentation and processes will your programme need?
9. How will you provide appropriate security assurance, both throughout the duration of the programme and for its product or service?

Each organisation’s security resources will depend on their budget, risk appetite and what information and services they’re handling. Discuss your programme’s security requirements with the team or individual responsible for security in your organisation. As part of this you should:

• conduct a risk assessment for your programme
• identify and comply with any relevant security regulations and frameworks such as those in the technology security guidance list
• agree how your programme will work with the security and assurance policies used within your organisation
• assign roles and responsibilities for security within the programme
• consider if you have access to the relevant security expertise, or if you need to bring in additional skills

Once you have identified your programme security risks, you should integrate these into your programme plan, and include:

• how your programme will track, mitigate, or accept security risks
• expected timetables for mitigating each risk
• clear and well documented security processes
• plans for training and controlling the access of your users

Use proportionate security for your technology

Choose proportionate security to control and monitor your technology programme. Security should protect your information technology and digital services, and enable users to access the data they need for their work.

You should consider the security of any tools you might use to implement and maintain your technology programme.

As you implement your technology programme you should continually review your security, and make sure that you’re mitigating or accepting the security risks that you’ve identified.

Network and infrastructure security

Malicious access is always a risk. Plan how to:

• identify
• protect
• detect
• respond
• quickly recover

Make sure you have processes and controls in place to collect, record, protect, and analyse information about any attacks and use this data to improve defences. You should:

• design and implement the components of any system according to government best practice, including network principles and the secure design principles
• increase email security by using the guidance on securing government email and how to set up government email services securely

Data security

When platforms have internet access and hold real data, threat actors or attackers may try to steal or alter the data. Also, there is a greater risk of an accidental real data leak. You should:

• follow the National Cyber Security Centre’s (NCSC) risk management guidance
• read the Service Manual guidance on securing information for government services

You should integrate security controls and monitoring with the data and network flows using proportionate risk analysis.

Service security

You can find information on securing your services in:

• Point 9 of the Service Standard - Create a secure service which protects users’ privacy
• Digital Service Security from NCSC

Cloud security

The government’s approach to security in the cloud is set out in the Cloud security guidance.

Whether you’re procuring software as a service (SaaS) or developing your own solution for a platform of tools and services, you should put in place mitigations such as:

• data encryption
• single sign-on
• two-factor authentication (2FA)
• fine-grained access control
• usage monitoring and alerts
• timely patching

Providing assurance

You will need to set up assurance mechanisms to monitor your programme security, identify potential risks, and provide confidence to senior leaders and stakeholders about the effectiveness of your security controls.

Continually evaluate your security controls to make sure they:

• provide users with appropriate levels of access
• effectively monitor for security risks
• provide sufficient data for risk analysis
• identify and record all activities and can find anomalies
• enable you to make informed decisions about actions to mitigate discovered risks

Use continuous improvement planning to manage and update security

You will need to provide ongoing assurance of your programme’s security and consider how it integrates with the rest of your organisation’s security. You should discuss this with the team or individual responsible for security in your organisation.

You should consider:

• who will be responsible for the overall security of the programme
• how will the programme’s security be continually assured, monitored, and assessed
• what types of security software testing would be appropriate for your programme
• who will assure, monitor, and assess the programme’s security
• who will implement security updates to ensure the ongoing security of the programme
• who will be responsible for responding to security incidents affecting the programme

Consider using continuous improvement planning in your business-as-usual processes. This will give you regular opportunities to review and improve your security as needed. The review process will also make sure that your security still meets user needs and evolving technology.

Next: Technology Code of Practice point 7 - Make privacy integral

Related guides

• Government technology standards and guidance
• Security policy framework
• Government security classifications
• ‘OFFICIAL SENSITIVE’ data and IT
• Security considerations when coding in the open
• Managing the risk of cloud-enabled products

Published 6 November 2017
Last updated 31 March 2021 + show all updates

1. 31 March 2021

   Addition of a temporary research survey to get user feedback on the Technology Code of Practice.

2. 27 January 2020

   Additional content included and restructure of page.

3. 6 November 2017

   First published.