Tracking Secure by Design progress
This activity must be performed during the following phases:
Discovery Alpha Private beta Public beta and liveOngoing self-assessment is important for implementing Secure by Design (SbD) principles. It allows you to track your SbD activities and maintain cyber security in your projects work.
We have developed the self-assessment tracker to support delivery teams. Complete the relevant activities in the self-assessment tracker as your project progresses.
Self-assessment tracker (opens in new tab)
Secure by Design self-assessment tracker
This tracker will evolve to better serve DfE needs. See the latest release notes for updates.
This tracker offers senior leaders a clear view of Secure by Design adoption across DfE.
The maturity of confidence in Secure by Design should increase through a projects' lifecycle.
Use of the self-assessment tracker will support organisational confidence that:
- security risks are promptly and effectively managed
- there is a reduction to the cyber/information security risk exposure of DfE
Purpose of self-assessment
The self-assessment tracker supports you to understand your projects cyber security maturity.
The assessment is there to prompt you on:
- activities expected from a cyber security perspective
- actions and planning based on the insights the exercise provides
You may already be performing these activities in which case the extra ask is evidencing this to the relevant stakeholders.
Projects are not expected to provide perfect answers or an 'all green report'.
Projects must accurately report their security status to identify and address risks promptly. To show that security has been considered as part of delivery.
This demonstrates due diligence and must be shared with external stakeholders.
When should self-assessment be completed?
You should complete self-assessments at several points of your project's lifecycle, including:
- during the initial planning phase
- after significant milestones or changes in the project
- on a regular basis (for example, quarterly) to ensure ongoing compliance and security
The actual frequency is dependent upon your project.
What evidence or information do I need to supply as part of self-assessment?
You will need to provide:
- details of your project/service
- explanation of how your team has met the security requirements for a delivery phase. This may include a reference to where activity outputs have been saved
The evidence for a project or service depends on it's:
- scale
- complexity
- potential business impact on DfE objectives in the event of a cyber incident
Projects with higher business impact will need more extensive evidence of SbD activities.
The input and output evidence exemplify the evidence required for SbD good practice. Evidence examples are not prescriptive; the necessary information may be found in fewer pieces.
For example, on smaller, less complex projects there may be a single design document that contains architecture, high-level and low-level designs. A complex project may have many architectural and design documents at all levels.
You must ensure links to supporting documents have appropriate access settings for security.
Our published policies and standards provide more guidance on evidence requirements needed. They will be updated to ensure a consistent DfE approach where appropriate.
Who do I need to share my self-assessment with?
You should share your self-assessment with:
- delivery teams
- service owner (SRO)
- Cyber and Information Security Division (CISD)
Sharing your self-assessment with CISD
Completed self-assessments must be shared with CISD. This allows DfE to provide organisational reporting on SbD adoption to wider government.
You can submit your self-assessments by completing this form.
Reviewing the self-assessment output
The value of the self-assessment is the analysis, usage and insight it provides you.
Projects should take a risk-based approach and have responsibility for:
- deciding what level of maturity they need in each aspect of security
- understanding the gaps and strengths in their security approach
To inform future security activities as part of your cyber security plan.
Plan for next assessment
Your team must ensure cyber security and risk management. The self-assessment only provides a snapshot of a project's security maturity at a specific time.
Your team should continue self-assessment during delivery to identify gaps and maximise benefits.