Cyber security solutions are an investment made by an organisation to protect their assets from harm caused by a security attack. If the cyber security solution is not effective the business is exposed to risk.

How can you tell if a cyber security solution is effective?

Most solutions will go through an acceptance process as part of the delivery cycle. Traditionally, assurance is an element of the acceptance process that verifies that business security objectives are being met. This is often undertaken by a process of assessing risks, implementing mitigations, and collating evidence the risk mitigations

have been implemented.

What is more, there is a need for this to be an ongoing process, through the solution’s life, to ensure that any new security risks that emerge from new threats, differing usage patterns or emerging requirements are met.

This process is referred to as security management and is a well-established process. Secure by Design is the evolution of this approach that recognises that security management needs to be practised from the start of a project to ensure security is duly considered at all stages of the solution lifecycle, to ensure security is baked-in, rather that bolted-on to meet acceptance criteria. As will be shown, this is implicitly an Agile process.

This paper explores how Secure by Design can be embedded into familiar business governance processes and applied in a variety of situations. Two use cases are used to explore the approach: the delivery of a Secure Information Exchange Solution and the delivery of a High Assurance Secure Information Exchange product