Technology

Securing your information

Give feedback about this page

From:
Technology community (technical architecture)

Information security is the technologies, policies and practices you choose to help you keep data secure.

It바카라 사이트™s important because government has a duty to protect service users바카라 사이트™ data. Without this protection, users could lose trust in public services.

The government바카라 사이트™s Cloud First policy means you바카라 사이트™ll most likely be building your system in the cloud. Find out more about securing your cloud environment.

Security for 바카라 사이트˜secret바카라 사이트™ or 바카라 사이트˜top secret바카라 사이트™ information

This guidance is for services holding information that바카라 사이트™s classified by the government as 바카라 사이트˜official바카라 사이트™.

If your service handles information that바카라 사이트™s classified as 바카라 사이트˜secret바카라 사이트™ or 바카라 사이트˜top secret바카라 사이트™, then you should ask for specialist advice from your department or agency security team.

Before you start assessing security

Accept your service will have information risk

It바카라 사이트™s unrealistic to aim for a service with no information risk.

You should and identify the risk to your service posed by your technology choices, processes, staffing and data aggregation.

When you understand this risk, you can then to mitigate risks.

Talk to risk professionals

You need to discuss your security decisions with your organisation바카라 사이트™s risk owner. Do this as early as possible when starting to develop your service.

Your risk owner is responsible for dealing with risk in all your organisation바카라 사이트™s services.

They can help you decide the risks you can accept and put a plan in place to mitigate against those you can바카라 사이트™t.

When to start considering information security

The government is to start thinking about the security of your service in the discovery phase.

바카라 사이트 security policy means your security measures must be proportionate to the risk and still allow user needs to be met while maintaining the appropriate level of security.

How to assess information security

When you바카라 사이트™re assessing the security of your service and the data you hold, you should consider it under the following general categories:

  • confidentiality: information should only be seen by people who are authorised to access it
  • integrity: information should only be modified by people who are authorised to do so
  • availability: information should be available when needed. Problems or attacks shouldn바카라 사이트™t stop you getting information from the system
  • non-repudiation: nothing should happen in a system that can바카라 사이트™t be traced back to a responsible person

Also consider any relevant privacy legislation and talk to your data protection officer about this.

Carrying out a risk assessment

The suggests that you should:

  1. Consider threats to your system and the information and assets you store.
  2. Record any risks you believe are possible even if you don바카라 사이트™t have a solution.
  3. Prioritise the risks you identify as most likely and the risks that would have the biggest effect on your service and your users.

Learn more about risk assessment

Read these articles to see how other digital organisations manage risk:

  • (The National Cyber Security Centre)
  • (Microsoft)

Risk assessment techniques

Throughout your service바카라 사이트™s development, you can assess how well you바카라 사이트™re managing risks by using techniques like third-party code audits and penetration testing.

You should to rehearse incident management practices.

If an actual incident occurs, you can to identify whether there are actions that would improve the team바카라 사이트™s ability to respond in future.

Protecting information

Once you바카라 사이트™ve identified the risks to your information, you can consider how to reduce them, for example by using:

  • physical controls like walls, locked doors or guards
  • procedural controls like making a manager responsible for access, training staff or putting emergency response processes in place
  • regulatory controls like legislation, policy or rules for staff
  • technical controls like cryptographic software, authentication and authorisation systems or secure protocols

Choosing which controls to use

To choose controls, you need to assess the risk of information disclosure or modification then decide which risks you바카라 사이트™re willing to take.

Many controls come with drawbacks and you may find some don바카라 사이트™t suit your service.

Learn about .

On-demand or reactive protection

The controls explained in this guide help to prevent incidents occurring but it is also important for your organisation to detect incidents and react to them.

For example, it is possible to arrange Distributed Denial of Service (DDOS) protection that comes into effect when an attack takes place. This may seem like an unnecessary expense, however the cost needs to be weighed up against the resources it would take to identify and resolve this issue without protection in place.

Getting an IT Health Check

An IT Health Check provides assurance that your organisation바카라 사이트™s external systems are protected from unauthorised access or change.

The check will be a penetration test carried out by a National Cyber Security Centre (NCSC) supplier. Read more about penetration tests.

Further reading

Read about and the .

For projects using artificial intelligence, read the AI Playbook.

Updates to this page

Published 20 October 2016
Last updated 17 October 2024 show all updates

  1. Integrated guidance on Assessing the importance of service assets, Performing threat modelling, Performing a security risk assessment, Agreeing a security controls set for your service, Responding to and mitigating security risks and Retiring service components securely.

  2. Removed references to Data Protection Act 1998.

  3. Guidance first published