Understand the risks to your service
When you build, maintain or change your service, you must have a clear understanding of any associated risks because they will impact your service design and affect your users.
You should work with GDS Information Security IA to design appropriate solutions for your service’s risks. IA may need to obtain risk acceptance from your Senior Risk Owner (SRO). You can also work with the COD Cyber Security Team to get advice on the threats applicable to your service, and how to best mitigate them.
The Service Manual has some recommendations which can reduce risk to your service, for example, how to:
- protect against fraud when you design and manage your service
- secure your information if you handle ‘official’ classified data
Model security threats
Modelling threats can help you gain a clearer understanding of threats against your service. GDS uses Attack Tree development workshops to model threats. Any workshops you run should cover all potential attack vectors.
The Cabinet Office Cyber Security Team can help you carry out threat modelling, to help you:
- Understand threats that are unique to your service, helping you to adopt security conscious behaviours during its design, development and operation
- Focus mitigation efforts on the threats that matter – that is, threats that pose the greatest risk to the normal operation of your service
- Ensure the right security controls are in place to match the threats your service faces
- Adopt secure by design approach to your service throughout the service’s lifecycle
The team can also advise you on how threat model efficiently, should you decide to carry it out yourself or through a third party.
You will find more information on threat modelling on the COD Cyber Security Team’s google site.