05 Secure by design
Our solutions will adopt a secure by design ethos. One of our service design principles states that "security will be a critical element of the new service – we will hold information safely, and we will ensure that the people who work in the agency and the people who use it are safe."
The design phase of software development or customisation provides the foundation for secure software, minimising the security risks within systems. Our emphasis on building security into our solution addresses the tendency for security to be an afterthought in the development of ICT solutions.
Our approach to developing the social security solution is to ensure that the technology components, software and hardware, that make up the solution, are as free of vulnerabilities and resilient to attack as possible and we will employ a number of measures to achieve that aim, such as:
- Implementing secure software development processes;
- Ensuring continuous testing;
- Aligning with both government and industry best practice;
- Conducting threat analysis;
- Deploying static and dynamic source code scanning tools;
- Utilising penetration testing and vulnerability assessment skills.
The understanding and use of such techniques and how they are employed in a system's production will significantly decrease our chances of exposure.
Our solutions will throughout their entire lifecycle be subject to security assessment at every stage. Security will be built into the fabric of the social security systems in Scotland, from design and development, through testing and continuous improvement, to operationally live through to eventual decommissioning – security will be a key factor at every stage.
We will work in partnership with the UK National Cyber Security Centre, the national technical authority for cyber security, to ensure that our risk managed approach to solution development aligns with current thinking and the modern approach to the government security policy and practice.