Agreeing roles and responsibilities
To agree security roles and responsibilities, delivery teams should:
- Review their existing resourcing plans.
- Understand their mandatory security obligations, including relevant policies, regulations, laws, and contractual obligations.
- Understand the activities required to deliver secure digital services.
- Assign activities to roles.
- Share roles and responsibilities with assigned individuals, ensuring there is clarity on what is expected of those individuals.
- Review roles and responsibilities on a regular basis to ensure they are still appropriate for the service and the assigned individual.
When assigning tasks to roles, we recommend using a RACI (Responsible, Accountable, Consulted, Informed) matrix.
The Cyber and Information Security Division (CISD) will be providing an outline RACI shortly.
Get your team involved
Secure by Design encourages everyone to be involved in delivering secure outcomes. Educating and empowering everyone in a delivery team to be active participants in security will drive better outcomes through a “one-team” mindset and participation in risk identification and management.
Make sure your team understands:
- that the project is responsible for cyber security
- why designing for security from the start, and then throughout, is important
- their role in keeping DfE data secure