Assess your risk

Agree your security controls

Your team needs to put the right controls in place to identify and manage security risks. Do this as early as you can in your project lifecycle.

Consider your context

Use controls that are appropriate for what you need to protect and how much risk is acceptable.

If you set too many controls, people might find it difficult to use your capability or service.

If you do not have enough or the right controls, you might create security vulnerabilities.

You can check the guidance on defining your context.

Review your designs

Design your capability or service so that you have the appropriate number of security controls.

For example if people do not need to access the internet to use your service, you might not need controls like web filtering.

You need to keep your designs up to date.

You must review your designs when you make major changes or new threats are reported.

Get your team involved in security design discussions. You can also ask other teams in Defence to share their designs for mitigating risk.

Map controls against risk

When you are confident in your designs, run a team workshop to agree which controls you need to use.

You need to:

  • describe why the controls are right for your capability or service
  • list your controls and the risks they will manage
  • create documentation that the team can access and your stakeholders can understand

Think about different kinds of controls

Security controls can be administrative, physical or technical. For example, people might need to use a laptop in a building with open wifi. Or, people might use electronic door locks to enter a building.

Technical security controls include things like:

  • encryption
  • firewalls
  • anti-virus software
  • data backups

GOV.UK guidance includes a template with example controls. Consider these in addition to controls used in Defence.

Check GOV.UK guidance on security controls (opens in a new tab).

Check your organisation's controls

Some top level budgets have existing controls that you can use. Check if your organisation has these. If they do, reuse what you can.

Depending on the systems you use, you might need to set some mandatory controls. Check with the owners of all the systems you use.

You should reuse existing architecture designs. These are published by the Cyber Security Design Authority (CSDA). On MODNET, you can search for 'CSDA'.

Check threat assessments

Like most organisations, Defence has details of the threats we face. You have to work for the Ministry of Defence to access these. On MODNET, search for 'threat assessments'.

If you are part of a larger programme, you should share your threat assessments with related projects. Projects can use your assessments to help set their controls.

You can check GOV.UK guidance on threat assessments (opens in a new tab).

Published August 2024