- Identify data you need to collect and comply with legislation and policy. Assess the level of risk and manage how you store, use and share it. Follow data retention and disposal rules.
- Consider privacy early and throughout your project. Ensure you meet privacy legal obligations.
- Embed and integrate security into your service design at the outset. Continue to track and test the security of your service once it is live.
Make digital services secure
Identify the data and information the service will use or create. Put appropriate legal, privacy and security measures in place.
People who use government services must have confidence that:
- any information they provide is confidential and stored appropriately
- the system they're using is safe and secure
- they know how their information will be used by government
- they can easily retrieve information they provide.
If a service cannot guarantee confidentiality, integrity and availability of the system, people will not use it.
In Alpha stage
During Alpha stage you'll have an understanding of the users, data and threats that affect your service. You will have established an appropriate approach to integrate relevant security and privacy measures into your design with minimal user impact.
- identify secure and private methods of generating or processing data within or between data stores, the solution and users
- identify appropriate authentication methods that are as seamless as possible to the user
- understand to what degree the solution has to comply with Information Security Policy (IS18:2018), and internal agency security policies, and create a plan on how to achieve this
- conduct a privacy impact assessment
- conduct a threat and risk assessment, identifying potential threats to your service, including potential pathways for insider threats and hackers, and demonstrate an understanding of how to mitigate the identified threats.
To support the work in Alpha you should:
- map the systems, data and responsible agencies
- understand what user data might be needed or collected by the service
- understand the Data Governance Guideline and what existing statistical datasets may be relevant to your service
- understand which data you collect is (and isnt) personal information and how it might be stored, accessed and disseminated
- involve relevant security professionals throughout the Alpha stage.
You should understand the service requirements relating to:
- legal constraints
- records governance policy (Opens in new window)
- privacy, including the Information Privacy Act 2009 (Qld)
- copyright and open licensing, including the Queensland Government Information access and use policy, Metadata management principles, Information Management Policy Framework (IMPF), and Queensland Public Sector intellectual property principles
- the Right to Information Act 2009 (Qld)
In Beta stage
During the Beta stage you'll develop a secure system that integrates seamlessly into the proposed solution. It will have appropriate security controls embedded within it to mitigate all identified threats.
You should involve all relevant stakeholders within the project, including:
- business owners
- information risk and compliance teams
- Senior Information Risk Owner
- Information Asset Owner
- IT security teams
- internal fraud teams, if appropriate.
You should also:
- address all legal and privacy issues associated with protecting and sharing user data
- create a solution to test and implement security patches quickly and efficiently
- demonstrate that effective security controls are in place to protect data used or accessed by the solution
- integrate into or create relevant security documentation
- create a risk treatment plan to track risks and mitigations
- test the security of the solution and address all vulnerabilities discovered.
You should build detection and prevention mechanisms into the solution, including:
- incident response plan
- logging solution that can fully trace a user as they traverse each part of the system
- appropriate business rules that check the validity of interactions with the solution.
As you launch you should be able to show that you have created a robust secure solution that meets all security, legislative and legal requirements. It should:
- manage frequent security updates
- identify malicious or fraudulent activity
- have appropriate policies in place to respond quickly to security events
- have the ability to integrate into existing security monitoring solutions
- allow users to interact securely with the solution with minimal impact on user experience
- have mitigated all known vulnerabilities in the solution.
- Google Analytics IP Anonymization in Analytics (Opens in new window) (external)
- GOV.UK Service Manual Information security (Opens in new window) (external)
- 18F Blog Compliance masonry: building a risk management platform, brick by brick (Opens in new window) (external)
- 18F Blog Complexity is the adversary (Opens in new window) (external)