TDA Submission Template - Security Alignment
Introduction
This guidance has been designed to help project teams submitting proposals to the Technical Design Authority (TDA) using the TDA Submission Template.
Teams are asked to supply details of how their proposal meets specified criteria in three areas - architecture, security and data.
This section contains information on each item listed in the “Security Alignment” section of the presentation, and provides guidance by attempting to answer three questions.
- What does the item mean in this context?
- Why does the item need to be addressed?
- How would a team go about meeting the item requirements?
Note: The current GOV.UK security standard is GovS007.
Has a security assessment been conducted on this product?
What? – A security assessment determines the steps you need to take to make your service secure in accordance with any relevant policies and standards.
Why? – To meet the conditions for point 6 of the Technology Code of Practice (TCoP) your proposal should contain information on the results of any security assessments.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Start by reviewing the “Assess your security and resources” section in TCoP point 6. Work through the numbered questions listed to help complete the assessment, including any relevant information in your proposal. Section 9 of the GOV.UK service standard includes guidance on making a service secure and Govassure provides information on meeting government criteria for cybersecurity assessments.
Have any security risks been captured?
What? – Any security risks captured in the assessment should be recorded and investigated, with a view to developing a solution to prevent them.
Why? – To meet the conditions for TCoP point 6 your proposal should contain information on detecting and dealing with any known security risks.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Review the “Assess your security and resources” section in TCoP point 6 and apply the guidance on capturing and managing any security risks to your service. Section 9 of the GOV.UK service standard also includes instructions on managing risk and integrating security measures into your service. Ensure your proposal contains a full breakdown of any known security risks and the measures taken to manage them.
Does the product include the capability to detect, log and respond to security incidents?
What? – If the product is deployed in a public-facing environment, there should be measures in place to handle potential security incidents.
Why? – To meet the conditions for TCoP point 6 your proposal should contain information on managing security incidents.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Review the “Using proportionate security for your technology” and “Use continuous improvement planning to manage and update security” sections in TCoP point 6, and ensure your proposal contains information demonstrating how your service will comply with any relevant requirements. Section 9 of the GOV.UK service standard also includes instructions on securing information and testing for vulnerabilities.
Can the product integrate into the Justice Digital Security Operations Centre?
What? – The Justice Digital Security Operations Centre (SOC) proactively monitors, detects, analyses and responds to cybersecurity threats and incidents in real time, ensuring the protection of digital assets and data. The point of contact/service owner is currently Graham Inglis.
Why? – To meet the conditions for TCoP point 6 your proposal should outline any plans for integration with the SOC.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Review the “Use continuous improvement planning to manage and update security” section in TCoP point 6 to help with assurance guidelines on continuous improvement. Contact the SOC to ensure your security requirements are within scope for monitoring and include any relevant information in your proposal.
Is this product using safe cryptography? (e.g. Quantum safe)
What? – To mitigate any future threat from quantum computers, there is a requirement that all government services, systems, and products migrate to post-quantum cryptography (PQC) to ensure an adequate level of cybersecurity protection. The requirement is not immediate, but it does need to be considered in any cybersecurity spend forecasts.
Why? – To meet the conditions for TCoP point 6 your proposal should contain information on building resilience against cybersecurity threats.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Consult the PQC guidance page at the National Cyber Security Centre (NCSC) and evaluate how the migration timeline might impact your service. Include any details on potential costs for migration activities in your proposal. Section 9 of the GOV.UK Service Standard also includes instructions on securing a service.
Is security in-built? (Secure by Design)
What? – Secure by Design is a government framework used to ensure effective cybersecurity practices are built into any new or updated digital services and infrastructure.
Why? – To meet the conditions for TCoP point 6 your proposal should confirm that any system or service components have been designed and implemented according to government best practice.
If you’re going through the spend control process you need to explain how you’re meeting TCoP point 6.
How? – Consult the “Network and infrastructure security” section of TCoP point 6 and the Secure by Design site for information on incorporating appropriate cybersecurity solutions into your service. Include details on meeting Secure by Design requirements in your proposal.