Technology

Securing your information

Give feedback about this page

From:
Technology community (technical architecture)

Information security is the technologies, policies and practices you choose to help you keep data secure.

It鈥檚 important because government has a duty to protect service users鈥� data. Without this protection, users could lose trust in public services.

The government鈥檚 Cloud First policy means you鈥檒l most likely be building your system in the cloud. Find out more about securing your cloud environment.

Security for 鈥榮ecret鈥� or 鈥榯op secret鈥� information

This guidance is for services holding information that鈥檚 classified by the government as 鈥榦fficial鈥�.

If your service handles information that鈥檚 classified as 鈥榮ecret鈥� or 鈥榯op secret鈥�, then you should ask for specialist advice from your department or agency security team.

Before you start assessing security

Accept your service will have information risk

It鈥檚 unrealistic to aim for a service with no information risk.

You should and identify the risk to your service posed by your technology choices, processes, staffing and data aggregation.

When you understand this risk, you can then to mitigate risks.

Talk to risk professionals

You need to discuss your security decisions with your organisation鈥檚 risk owner. Do this as early as possible when starting to develop your service.

Your risk owner is responsible for dealing with risk in all your organisation鈥檚 services.

They can help you decide the risks you can accept and put a plan in place to mitigate against those you can鈥檛.

When to start considering information security

The government is to start thinking about the security of your service in the discovery phase.

Government security policy means your security measures must be proportionate to the risk and still allow user needs to be met while maintaining the appropriate level of security.

How to assess information security

When you鈥檙e assessing the security of your service and the data you hold, you should consider it under the following general categories:

  • confidentiality: information should only be seen by people who are authorised to access it
  • integrity: information should only be modified by people who are authorised to do so
  • availability: information should be available when needed. Problems or attacks shouldn鈥檛 stop you getting information from the system
  • non-repudiation: nothing should happen in a system that can鈥檛 be traced back to a responsible person

Also consider any relevant privacy legislation and talk to your data protection officer about this.

Carrying out a risk assessment

The suggests that you should:

  1. Consider threats to your system and the information and assets you store.
  2. Record any risks you believe are possible even if you don鈥檛 have a solution.
  3. Prioritise the risks you identify as most likely and the risks that would have the biggest effect on your service and your users.

Learn more about risk assessment

Read these articles to see how other digital organisations manage risk:

  • (The National Cyber Security Centre)
  • (Microsoft)

Risk assessment techniques

Throughout your service鈥檚 development, you can assess how well you鈥檙e managing risks by using techniques like third-party code audits and penetration testing.

You should to rehearse incident management practices.

If an actual incident occurs, you can to identify whether there are actions that would improve the team鈥檚 ability to respond in future.

Protecting information

Once you鈥檝e identified the risks to your information, you can consider how to reduce them, for example by using:

  • physical controls like walls, locked doors or guards
  • procedural controls like making a manager responsible for access, training staff or putting emergency response processes in place
  • regulatory controls like legislation, policy or rules for staff
  • technical controls like cryptographic software, authentication and authorisation systems or secure protocols

Choosing which controls to use

To choose controls, you need to assess the risk of information disclosure or modification then decide which risks you鈥檙e willing to take.

Many controls come with drawbacks and you may find some don鈥檛 suit your service.

Learn about .

On-demand or reactive protection

The controls explained in this guide help to prevent incidents occurring but it is also important for your organisation to detect incidents and react to them.

For example, it is possible to arrange Distributed Denial of Service (DDOS) protection that comes into effect when an attack takes place. This may seem like an unnecessary expense, however the cost needs to be weighed up against the resources it would take to identify and resolve this issue without protection in place.

Getting an IT Health Check

An IT Health Check provides assurance that your organisation鈥檚 external systems are protected from unauthorised access or change.

The check will be a penetration test carried out by a National Cyber Security Centre (NCSC) supplier. Read more about penetration tests.

Further reading

Read about and the .

For projects using artificial intelligence, read the AI Playbook.

From:
Technology community (technical architecture)
Last updated
6 months ago
Last update:

Integrated guidance on Assessing the importance of service assets, Performing threat modelling, Performing a security risk assessment, Agreeing a security controls set for your service, Responding to and mitigating security risks and Retiring service components securely.

  1. Removed references to Data Protection Act 1998.

  2. Guidance first published