5 Make it secure
Identify the data and information the service will use or create. Put appropriate legal, privacy and security measures in place.
Why it’s in the Standard
People who use government services must have confidence that:
- any information they provide is confidential and stored appropriately
- the system they’re using is safe and secure
- they know how their information will be used by government
- they can easily retrieve information they provide.
If a service cannot guarantee confidentiality, integrity and availability of the system, people will not use it.
How you’ll be assessed
During Alpha you’ll have an understanding of the users, data and threats that affect your service. You will have established an appropriate approach to integrate relevant security and privacy measures into your design with minimal user impact.
- identify secure and private methods of generating or processing data within or between datastores, the solution and users
- identify appropriate authentication methods that are as seamless as possible to the user
- understand to what degree the solution has to comply with the Information Security Manual and Protective Security Policy Framework, and internal agency security policies, and create a plan on how to achieve this
- conduct a privacy impact assessment
- conduct a threat and risk assessment, and an Information Security Registered Assessors Program Assessment (IRAP) if appropriate
- identify potential threats to your service, including potential pathways for insider threats and hackers, and demonstrate an understanding of how to mitigate the identified threats.
To support the work in Alpha you should:
- map the systems, data and responsible agencies
- understand what user data might be needed or collected by the service
- understand what existing statistical datasets may be relevant to your service and the Australian Government principles on data integration
- understand which data you collect is (and isn’t) personal information and how it might be stored, accessed and disseminated
- involve relevant security professionals throughout the Alpha stage
- understand the service requirements relating to
- legal constraints
- records management
- privacy, including the Privacy Act and Australian Privacy Principles
- copyright and open licensing, including the principles on open public sector information, Australian Government intellectual property rules and Australia’s commitment to the Open Government Partnership
- the Freedom of Information Act
- the Spam Act
- state and territory government policies, if relevant.
During the Beta stage you’ll develop a secure system that integrates seamlessly into the proposed solution. It will have appropriate security controls embedded within it to mitigate all identified threats. You should:
- involve all relevant stakeholders within the project, including
- business owners
- information risk and compliance teams
- SIRO (Senior Information Risk Owner)
- IAO (Information Asset Owner)
- IT security teams
- internal fraud teams, if appropriate
- address all legal and privacy issues associated with protecting and sharing user data
- create a solution to test and implement security patches quickly and efficiently
- demonstrate that effective security controls are in place to protect data used or accessed by the solution
- integrate into or create relevant security documentation
- create a risk treatment plan to track risks and mitigations
- test the security of the solution and address all vulnerabilities discovered
- build detection and prevention mechanisms into the solution, including
- incident response plan
- logging solution that can fully trace a user as they traverse each part of the system
- appropriate business rules that check the validity of interactions with the solution.
As you go live you should be able to show that you have created a robust secure solution that meets all security, legislative and legal requirements. It should:
- manage frequent security updates
- identify malicious or fraudulent activity
- have appropriate policies in place to respond quickly to security events
- have the ability to integrate into existing security monitoring solutions
- allow users to interact securely with the solution with minimal impact on user experience
- have mitigated all known vulnerabilities in the solution.
Guidance related to this criterion
- Google Analytics and collection of IP addresses
- GDS - Information security
- 18F Blog - Compliance Masonry: Building a Risk management platform, brick by brick
- 18F Blog - Complexity is the adversary
Last updated: 6 May 2016