https://identityassurance.blog.gov.uk/2016/04/04/accreditation-and-risk-management-in-gov-uk-verify/

Accreditation and risk management in GOV.UK Verify

Point 7 of the Digital by Default Service Standard says:

Evaluate what user data and information the digital service will be providing or storing, and address the security level, legal responsibilities, privacy issues and risks associated with the service (consulting with experts where appropriate).

We blogged recently about some of the work we do to protect GOV.UK Verify from fraud and information security risk.

This post looks in more detail at how we manage risks related to the use, processing, storage, and transmission of data dealt with by this point.

Here at GDS, as in every other government department, we consider information assurance and security risks a as part of the overall business of building and running public services.

For GOV.UK Verify we have specialist team members who follow a risk assessment methodology to allow us to define risk in a quantifiable and repeatable manner. They communicate those risks back into the programme Senior Management Team with recommendations on appropriate mitigations to those risks, allowing the right people to make informed decisions. The wider GOV.UK Verify team, including its security experts, provide support to ensure that what we are doing is appropriate and sensible.

There are two groups within the GOV.UK Verify team that are responsible for looking at risk more broadly: the risk management group and portfolio group. These groups work to ensure we have the resources available to mitigate identified risks in a timely manner.

Because it’s a cross-government service, the senior information risk owner for GOV.UK Verify is the Government Senior Information Risk Owner (GSIRO). The GSIRO has cross-government remit and responsibilities. They are responsible for making sure that GOV.UK Verify is managing risk appropriately.

The GSIRO needs to know that what we - the programme - are telling them about potential risks and mitigation is accurate. To facilitate that an independent person, known as an Accreditor, is normally appointed to act as an arbiter of risk. In the case of GOV.UK Verify we have 2 Accreditors. One is from GDS (but outside the GOV.UK Verify team): they make sure we consider all risks and apply the appropriate controls in line with Cabinet Office policy. One is a Pan Government Accreditor (PGA) from CESG, the national technical authority: they ensure that risks to wider government are considered and reported back to the GSIRO.

Regular meetings between the independent Accreditors and members of the GOV.UK Verify team mean that we have a constant open communication channel between all those concerned about security risk.

Within the accreditation and broader risk management process we have to consider the implications of the Data Protection Act and make sure that our service is always fully compliant with it.

In my role as Security Operations Lead I work very closely with the GOV.UK Verify Privacy Officer and Legal Advisor, to ensure that meet the legal obligations laid down by the act. However, we consider the privacy of GOV.UK Verify’s users at every decision point. The Privacy Officer wrote more about this recently.