Principle 1 - Foundation and Governance

Detail

The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it. Ensure that good governance arrangements for the system are clear.

Good governance implies effective control over the security of the service and of the data held. Where trades need to be made between security, usability and cost, it's important to talk about those trades in terms of business impact, rather than in technical impact. You need to know is responsible for the project / service throughout.

You need a clear understanding of the purpose of the service throughout its service timeline.

A full Data assessment should be performed to determine

  • Establish what is the minimum viable dataset required to operate the service
  • What data loses would be acceptable
  • What would the impact be of private data becoming public
  • What would the impact be of the service not being available
  • What would the impact be of the data being maliciously modified or destroyed

Commissioners, service providers and consumers should be provided with the tools required to help them securely manage their service.

Decision Evaluation Criteria:

  • Has the SRO and SIRO for the project been identified and is there an accepted governance route through which they can be notified of issues, risks and project status
  • Has the Information Asset Owner been identified and engaged as a full stakeholder
  • Is there a clear understanding and definition of the purpose of the project/service
  • Is there an agreed methodology for risk assessments and risk reporting for the project
  • Have the data retention and removal policies been defined
  • Is there any information other than that identified in the minimal viable dataset being used or collected

Basis

  • GDS CSP 4 - Governance Framework
  • GDS CSP 9 - Secure Consumer Management
  • NIST 1 - Establish a sound security policy as foundation for design.
  • NIST 5 - Reduce Risk to an acceptable level
  • NIST 13 - Use common language in developing security requirements
  • OWASP 1 - Perform Architecture, design and threat modelling
  • OWASP 15 - Business Logic