Evaluate what data the service will be collecting, storing and providing.
Understand how government assesses data, the organisation’s legal responsibilities, and security risks.
Consult experts where you need to.
Why it’s important
Government services often hold personal and sensitive information about users. Government has a legal duty to protect this information. Failing in that duty would undermine public trust in government services.
What it means
Service teams should:
- identify security and privacy threats, and have a firm approach to keeping information safe and managing fraud risks
- have a plan and budget that lets them manage security (for example by responding to new threats and applying security patches to software)
- collect and process users’ personal information in a way that’s secure and respects their privacy
- use an approach to identity assurance and authentication that balances the risks in an efficient way (for services that need this)
- work with business and information risk teams to make sure the service meets security requirements
- carry out appropriate vulnerability and penetration testing