Skip to main content

The GDS Way and its content is intended for internal use by the GDS and CO CDIO communities.

Understand the risks to your service

When you build, maintain or change your service, you must have a clear understanding of any associated risks because they will impact your service design and affect your users.

You should work with GDS Information Security IA to design appropriate solutions for your service’s risks. IA may need to obtain risk acceptance from your Senior Risk Owner (SRO). You can also work with the COD Cyber Security Team to get advice on the threats applicable to your service, and how to best mitigate them.

The Service Manual has some recommendations which can reduce risk to your service, for example, how to:

Model security threats

Modelling threats can help you gain a clearer understanding of threats against your service. GDS uses Attack Tree development workshops to model threats. Any workshops you run should cover all potential attack vectors.

The Cabinet Office Cyber Security Team can help you carry out threat modelling, to help you:

  • Understand threats that are unique to your service, helping you to adopt security conscious behaviours during its design, development and operation
  • Focus mitigation efforts on the threats that matter – that is, threats that pose the greatest risk to the normal operation of your service
  • Ensure the right security controls are in place to match the threats your service faces
  • Adopt secure by design approach to your service throughout the service’s lifecycle

The team can also advise you on how threat model efficiently, should you decide to carry it out yourself or through a third party.

You will find more information on threat modelling on the COD Cyber Security Team’s google site.

Further Reading

The National Cyber Security Centre (NCSC) provides guidance about cyber security. The Service Manual has advice about securing your information and securing your cloud environment.

This page was last reviewed on 20 November 2023. It needs to be reviewed again on 20 May 2024 by the page owner #gds-way .
This page was set to be reviewed before 20 May 2024 by the page owner #gds-way. This might mean the content is out of date.