9. Create a secure service which protects users’ privacy
Establish the security risks, threats and legal responsibilities associated with the service.
Why it’s important
Defra services often hold personal data about users and sensitive information about operational activities. You must protect this information to minimise disruption to services.
If active services fail to protect data, we put people and critical national infrastructure at risk. This creates a security threat and undermines public trust.
What it means
Service teams must follow the Secure by Design principles.
The Secure by Design requirements which are completed through the lifecycle of the project contain more detail and are available on the DDTS Portfolio Hub.
To meet the standard, you must:
- ensure senior leaders accountable for security understand the risks
- have a plan and budget to manage security, including responding to new threats
- check the security of third-party software before using it
- design security processes that are easy for users to understand
- collect, process, and store data securely
- regularly assess security risks and mitigate threats
- work with risk teams to meet security requirements
- anticipate vulnerabilities to limit opportunities for cyber attacks
- regularly test security controls
Policy and Standards
The Defra Security team produces security policies for the department. You must follow these policies when designing and delivering services.
Read the Defra Group Security policies on the intranet for full details. For service design, you should focus on the Cyber Technical Policies.
All staff, including contractors and third-party suppliers, must also comply with the Acceptable Use Policy.
Get support
Contact the Security team for advice on risk assessments, policies, and incident reporting.
- Email: security@defra.gov.uk