Understand the risks to your service

When you build, maintain or change your service, you must have a clear understanding of any associated risks because they will impact your service design and affect your users.

You should work with GDS Information Security IA to design appropriate solutions for your service’s risks. IA may need to obtain risk acceptance from your Senior Risk Owner (SRO). You can also work with the COD Cyber Security Team to get advice on the threats applicable to your service, and how to best mitigate them.

The Service Manual has some recommendations which can reduce risk to your service, for example, how to:

protect against fraud when you design and manage your service
secure your information if you handle ‘official’ classified data

The government security hub security.gov.uk provides links to the policies and standards that we have to follow.

Model security threats

Modelling threats can help you gain a clearer understanding of threats against your service. GDS uses Attack Tree development workshops to model threats. Any workshops you run should cover all potential attack vectors.

The Cabinet Office Cyber Security Team can help you carry out threat modelling, to help you:

Understand threats that are unique to your service, helping you to adopt security conscious behaviours during its design, development and operation
Focus mitigation efforts on the threats that matter – that is, threats that pose the greatest risk to the normal operation of your service
Ensure the right security controls are in place to match the threats your service faces
Adopt secure by design approach to your service throughout the service’s lifecycle

The team can also advise you on how threat model efficiently, should you decide to carry it out yourself or through a third party.

You will find more information on threat modelling on the COD Cyber Security Team’s google site.

Understand the risks to your service

Model security threats

Further Reading