Securing your information
Information security is the technologies, policies and practices you choose to help you keep data secure.
It바카라 사이트™s important because government has a duty to protect service users바카라 사이트™ data. Without this protection, users could lose trust in public services.
The government바카라 사이트™s Cloud First policy means you바카라 사이트™ll most likely be building your system in the cloud. Find out more about securing your cloud environment.
Security for 바카라 사이트˜secret바카라 사이트™ or 바카라 사이트˜top secret바카라 사이트™ information
This guidance is for services holding information that바카라 사이트™s classified by the government as 바카라 사이트˜official바카라 사이트™.
If your service handles information that바카라 사이트™s classified as 바카라 사이트˜secret바카라 사이트™ or 바카라 사이트˜top secret바카라 사이트™, then you should ask for specialist advice from your department or agency security team.
Before you start assessing security
Accept your service will have information risk
It바카라 사이트™s unrealistic to aim for a service with no information risk.
You should and identify the risk to your service posed by your technology choices, processes, staffing and data aggregation.
When you understand this risk, you can then to mitigate risks.
Talk to risk professionals
You need to discuss your security decisions with your organisation바카라 사이트™s risk owner. Do this as early as possible when starting to develop your service.
Your risk owner is responsible for dealing with risk in all your organisation바카라 사이트™s services.
They can help you decide the risks you can accept and put a plan in place to mitigate against those you can바카라 사이트™t.
When to start considering information security
The government is to start thinking about the security of your service in the discovery phase.
바카라 사이트 security policy means your security measures must be proportionate to the risk and still allow user needs to be met while maintaining the appropriate level of security.
How to assess information security
When you바카라 사이트™re assessing the security of your service and the data you hold, you should consider it under the following general categories:
- confidentiality: information should only be seen by people who are authorised to access it
- integrity: information should only be modified by people who are authorised to do so
- availability: information should be available when needed. Problems or attacks shouldn바카라 사이트™t stop you getting information from the system
- non-repudiation: nothing should happen in a system that can바카라 사이트™t be traced back to a responsible person
Also consider any relevant privacy legislation and talk to your data protection officer about this.
Carrying out a risk assessment
The suggests that you should:
- Consider threats to your system and the information and assets you store.
- Record any risks you believe are possible even if you don바카라 사이트™t have a solution.
- Prioritise the risks you identify as most likely and the risks that would have the biggest effect on your service and your users.
Learn more about risk assessment
Read these articles to see how other digital organisations manage risk:
- (The National Cyber Security Centre)
- (Microsoft)
Risk assessment techniques
Throughout your service바카라 사이트™s development, you can assess how well you바카라 사이트™re managing risks by using techniques like third-party code audits and penetration testing.
You should to rehearse incident management practices.
If an actual incident occurs, you can to identify whether there are actions that would improve the team바카라 사이트™s ability to respond in future.
Protecting information
Once you바카라 사이트™ve identified the risks to your information, you can consider how to reduce them, for example by using:
- physical controls like walls, locked doors or guards
- procedural controls like making a manager responsible for access, training staff or putting emergency response processes in place
- regulatory controls like legislation, policy or rules for staff
- technical controls like cryptographic software, authentication and authorisation systems or secure protocols
Choosing which controls to use
To choose controls, you need to assess the risk of information disclosure or modification then decide which risks you바카라 사이트™re willing to take.
Many controls come with drawbacks and you may find some don바카라 사이트™t suit your service.
Learn about .
On-demand or reactive protection
The controls explained in this guide help to prevent incidents occurring but it is also important for your organisation to detect incidents and react to them.
For example, it is possible to arrange Distributed Denial of Service (DDOS) protection that comes into effect when an attack takes place. This may seem like an unnecessary expense, however the cost needs to be weighed up against the resources it would take to identify and resolve this issue without protection in place.
Getting an IT Health Check
An IT Health Check provides assurance that your organisation바카라 사이트™s external systems are protected from unauthorised access or change.
The check will be a penetration test carried out by a National Cyber Security Centre (NCSC) supplier. Read more about penetration tests.
Further reading
Read about and the .
For projects using artificial intelligence, read the AI Playbook.
Updates to this page
-
Integrated guidance on Assessing the importance of service assets, Performing threat modelling, Performing a security risk assessment, Agreeing a security controls set for your service, Responding to and mitigating security risks and Retiring service components securely.
-
Removed references to Data Protection Act 1998.
-
Guidance first published