Principles that Protect: Unveiling the Path to Secure By Design Success
Secure by Design (SbD) is just around the corner for UK defence but many people are still developing their understanding of it. The Ebeni Cyber and Digital team have extensive knowledge in this area so we’ve created a series of articles that layout; what SbD is, the benefits it brings (as well as the challenges!) and what we can deliver to help you and your system navigate the choppy Secure by Design seas.
Let’s dive in! Last week we posted about the 7 principles of Secure by Design, in this article we want to get a more in-depth understanding of what these actually mean for IT systems.
The seven principles of SbD are mainly created around the National Cyber Security Centre’s (NCSC) Secure Design Principles and the National Institute of Standards & Technology (NIST) Cyber Security Framework. From these, MoD has created their own ‘Seven SbD Principles’ which they say, ‘enables a culture of proactive risk management and appropriate security consideration throughout a capability’s lifecycle’. These principles should be the foundation used by any system delivery team through from the initial concept phase to end-of-life disposal.
So, what are the principles?
Principle 1: Understand and Define Context.This is arguably the most important change of focus for SbD, getting systems to focus on holistic cyber security at the earliest stage in its lifecycle. Think bigger picture here; understanding who the key players are in the system, developing a Risk Appetite, understanding how the system will be used, as well as data needs.
Principle 2: Plan the Security Activities.This principle is intrinsically linked to the first, however, this is much more lifecycle security focused. Following this principle, you should be looking at appointing security leads and teams depending on the size of the project, embedding security into your governance and funding cycles whilst ensuring there is a plan for security process throughout the system lifecycle. Easier said than done!
Principle 3: Implement Continuous Risk Management.This principle is a concept that is certainly well talked about but can sometimes fall by the wayside, particularly when a system is in service. This principle covers the need for risk analysis, and risk management throughout the system lifecycle. Simple for any information security-minded professional but easily forgotten about later in the system’s life.
Principle 4: Control Identification.Again, this principle is a core part of any Information Security Management System but slightly different under SbD. More flexibility and capability focussed seems to be the main difference, but we’ll talk more about that later in the series.
Principle 5: Engage and Manage the Supply Chain.Arguably the biggest shift in cyber security mindset in recent years is the focus on systems supply chains. For the MoD, this is only amplified by its extensive supply chain which can lead to unknown vulnerabilities being introduced to the systems and MoD network. This principle ensures supply chain security risks are adequately understood, analysed and addressed. Again, we’ll go into more depth on this later in the series.
Principle 6: Assure, Verify and Test.The main shift here is from a focus on testing just prior to system ‘go live’, to through life assurance of risk and controls. Of course, this also includes vulnerability tests and analysis.
Principle 7: Enable Through Life Management.Last but not least, a principle that is often forgotten about when setting up an IT system. This principle includes maintenance of security posture, continuous risk management, testing and fixing vulnerabilities.
If you want to know further information or don’t understand something, feel free to reach out and chat with one of our cybersecurity specialists who can help.