Embedding security within investment approvals
Following a Secure by Design (SbD) approach aligns security needs with mission requirements.
This allows clear forecasting of security costs helping to inform the level of investment required.
Capability sponsors should make sure the cost of security outcomes is considered and submitted as part of the investment approvals process.
Follow guidance on cyber security Suitably Qualified and Experienced Person requirements to consider this cost within investment approvals and through-life.
The Green Book offers guidance from the Cabinet Office on how to appraise policies, programmes and projects.
JSP 655: Defence Investment Approvals details the policy and guidance on investment approvals and scrutiny.
JSP 656: Exportability and Capability Protection provides guidance on how to approach the development of military capabilities.
This allows clear forecasting of security costs helping to inform the level of investment required.
Capability sponsors should make sure the cost of security outcomes is considered and submitted as part of the investment approvals process.
Follow guidance on cyber security Suitably Qualified and Experienced Person requirements to consider this cost within investment approvals and through-life.
The Green Book offers guidance from the Cabinet Office on how to appraise policies, programmes and projects.
JSP 655: Defence Investment Approvals details the policy and guidance on investment approvals and scrutiny.
JSP 656: Exportability and Capability Protection provides guidance on how to approach the development of military capabilities.
Benefits
Embedding security means:
- security is considered in all costing and investment approvals
- more certainty around the time, cost, and resourcing
- increased likelihood of success when requesting investment
Outcomes
Investment proposals consistently demonstrate an understanding of security risks through their inclusion in:
- business cases
- financial plans (including forecasts and resource allocation)
- risk registers that map out identified security threats and proposed mitigations
Responsibility
Who is responsible for embedding security in investment approvals:
- capability sponsors
- delivery team security lead
- scrutiny boards should make sure appropriate security has been factored into the funding request
When to embed security in investment approvals
Security should be embedded prior to each investment approval.