We update the Technology Code of Practice (TCoP) a lot. Technology and best practice changes, as does the way people use the guidance. We recognised that our security guidance did not fully meet the needs of our users, and so one of the bigger changes we’ve made recently is to the security guidance in the TCoP.
In the beginning
The security guidance started life as one sentence:
“Establish the sensitivity of information held in accordance with the Security Classification Policy, establish legal responsibilities, develop user friendly, proportionate and justifiable security controls according to the Security Policy Framework.”
This was updated to a short paragraph of links to the National Cyber Security (NCSC) and security policy.
While this guidance explained what organisations had to do, it did not explain how to do it. We realised that we needed to do more if we wanted organisations to embed security from the start of their projects.
A different approach
This approach meant users had to read all these policies and guidance to work out what they might need to do, based on their particular project.
What this approach did not do was provide a handy summary of the security basics, and how the different pieces of guidance and policy relate to one another. Also, we were not providing information for all of our users. A high level approach is good for those writing business cases or senior management, but security professionals needed more detailed guidance and everyone needed an easy way to find everything.
We are trying a different approach.
We want to look at how security works end-to-end. It’s our first attempt and we will continue to iterate and improve it based on user feedback.
TCoP should provide the overview of technology security and be a signpost to more detailed security guidance. In our latest iteration we’ve gathered the basic security principles, which everyone knows about but which are rarely recorded in one place. Rather, they are dispersed across teams and departments depending on specific requirements.
We wanted the latest iteration to just be about technology. This is because the Service Manual covers service security (more on that in a bit). We also decided it would be sensible to write the guidance with NCSC and the Government Security Group (GSG).
Clear and helpful security
Our aim is to make TCoP a useful way of bridging the gap between security and technology teams and provide a common language and understanding of how best to tackle security. We felt this was important as clear guidance could help teams to better build security into projects and programmes from the start.
The new guidance looks at security from end-to-end of a project and helps users to include continuous improvement in their planning.
It helps with understanding security at all levels of seniority. It also helps project managers understand what sort of information they might need to include in their business cases to make sure that security is a core part of their project planning.
More on the way
We recognise that different types of technology require you to approach security in different ways. We’ve positioned the TCoP security point to be useful in a broad range of situations. But we know we need to provide more guidance for more specific circumstances and for services.
We aim to rewrite the security guidance in the Service Manual so that service and technology guidance compliment each other. We’re also working on cloud guidance to make sure we align all of our security principles. As with the recent TCoP security guidance we’ll be doing this with NCSC and GSG.
This is our first go at repositioning our security guidance for TCoP and we will continue to improve it. If there is anything you think we could add, or anything which you think we are missing, please get in touch by emailing us at technology-policy@digital.cabinet-office.gov.uk.