Make digital services secure

• Identify data you need to collect and comply with legislation and policy. Assess the level of risk and manage how you store, use and share it. Follow data retention and disposal rules.
• Consider privacy early and throughout your project. Ensure you meet privacy legal obligations.
• Embed and integrate security into your service design at the outset. Continue to track and test the security of your service once it is live.

People who use government services must have confidence that:

• any information they provide is confidential and stored appropriately
• the system they're using is safe and secure
• they know how their information will be used by government
• they can easily retrieve information they provide.

If a service cannot guarantee confidentiality, integrity and availability of the system, people will not use it.

In Alpha stage

During Alpha stage you'll have an understanding of the users, data and threats that affect your service. You will have established an appropriate approach to integrate relevant security and privacy measures into your design with minimal user impact.

You should:

• identify secure and private methods of generating or processing data within or between data stores, the solution and users
• identify appropriate authentication methods that are as seamless as possible to the user
• understand to what degree the solution has to comply with Information Security Policy (IS18:2018), and internal agency security policies, and create a plan on how to achieve this
• conduct a privacy impact assessment
• conduct a threat and risk assessment, identifying potential threats to your service, including potential pathways for insider threats and hackers, and demonstrate an understanding of how to mitigate the identified threats.

To support the work in Alpha you should:

• map the systems, data and responsible agencies
• understand what user data might be needed or collected by the service
• understand the Data Governance Guideline and what existing statistical datasets may be relevant to your service
• understand which data you collect is (and isnt) personal information and how it might be stored, accessed and disseminated
• involve relevant security professionals throughout the Alpha stage.

You should understand the service requirements relating to:

• legal constraints
• records governance policy (Opens in new window)
• privacy, including the Information Privacy Act 2009 (Qld)
• copyright and open licensing, including the Queensland Government Information access and use policy, Metadata management principles, Information Management Policy Framework (IMPF), and Queensland Public Sector intellectual property principles
• the Right to Information Act 2009 (Qld)

In Beta stage

During the Beta stage you'll develop a secure system that integrates seamlessly into the proposed solution. It will have appropriate security controls embedded within it to mitigate all identified threats.

You should involve all relevant stakeholders within the project, including:

• business owners
• information risk and compliance teams
• Senior Information Risk Owner
• Information Asset Owner
• IT security teams
• internal fraud teams, if appropriate.

You should also:

• address all legal and privacy issues associated with protecting and sharing user data
• develop an appropriate cookie and privacy policy, and keep it up to date
• create a solution to test and implement security patches quickly and efficiently
• demonstrate that effective security controls are in place to protect data used or accessed by the solution
• integrate into or create relevant security documentation
• create a risk treatment plan to track risks and mitigations
• test the security of the solution and address all vulnerabilities discovered.

You should build detection and prevention mechanisms into the solution, including:

• incident response plan
• logging solution that can fully trace a user as they traverse each part of the system
• appropriate business rules that check the validity of interactions with the solution.

As you launch you should be able to show that you have created a robust secure solution that meets all security, legislative and legal requirements. It should:

• manage frequent security updates
• identify malicious or fraudulent activity
• have appropriate policies in place to respond quickly to security events
• have the ability to integrate into existing security monitoring solutions
• allow users to interact securely with the solution with minimal impact on user experience
• have mitigated all known vulnerabilities in the solution.

• Information security policy (IS18:2018)
• Information access and use guideline
• Data encryption standard
• Queensland Government Information security classification framework

• Google Analytics IP Anonymization in Analytics (Opens in new window) (external)
• GOV.UK Service Manual Information security (Opens in new window) (external)
• 18F Blog Compliance masonry: building a risk management platform, brick by brick (Opens in new window) (external)
• 18F Blog Complexity is the adversary (Opens in new window) (external)