Principle 2 - Secure the Team

Detail

Everyone in the team responsible for designing and operating the service must know what their role is, and what constitutes acceptable behaviour.

All staff should be subject to personnel security screening and security education for their role. Team members must be able to design and develop secure services, having been able to identify and mitigate threats to service security.

Decision Evaluation Criteria:

• Are all members of the team vetted by secure HR processed prior to gaining access to the project
• Do all members of the development team hold current and valid certification in Secure Software Development (such as CSSLP)
• Does the development organisation require annual training and certification in Information Security and Information Governance
• Does the development organisation have a recognised training programme to help staff write secure code (e.g. OWASP Security Knowledge Framework )

Basis

• GDS CSP 6 - Personnel Security
• GDS CSP 7 - Secure Development
• NIST 4 - Ensure that developers are trained in how to develop secure software