Secure By Design is an approach to manage security through the project’s risk registry.
We also need a way of calculating those risks; in this case the threats to the various assets, the impacts of those assets being compromised, and the reduction in risk when controls are implemented.
We evaluated a few frameworks and based this playbook on NIST’s Cyber Security Framework (now at v2.0), but this too is only a framework and not an implementation.
Since this is a risk-based approach (that is, we want to calculate and manage risk, not just take risks), we chose NIST’s SP 800.53 & 30 Risk Management guides for the scales and calculations.
By themselves these are still quite broad and in our first attempts at Secure By Design we found we needed to extract the relevant details and tables into spreadsheets to calculate the residual risks. This playbook provides those ready-to-go.
There are ready-made checklists that you can use as an action plan for security controls for common situations such as developer team networks.
These can be misleading for unusual situations, and they do not help us to understand the costs and benefits of risks and mitigating them.
However they are a good start, and can be used immediately before you work through longer processes. See, for example, the UK Government’s Cyber Essentials for a list of things to do to secure your organisation.
We have a process, and a set of ready-partly-filled spreadsheets/tables/templates to help people write their own risk assessment. It combines the NIST framework, common western military threat assessments, and some concepts that have emerged from experience in securing IT and physical systems.
It does not have any ready answers, and will not write your security checklists or risk assessments for you. If you have a ‘standard’ project or organisation, you should consider finding ready-made templates (such as Cyber Essentials above), and come back to this if you need more rigour or have aspects that do not fit the template well.
The playbook is largely text, with some explanation videos and a few worked examples.
Please do contribute suggestions for better evaluations, better explanations, and better materials. If you apply this to a particular project and you are able to tell us about it, please do.
If you build your own templates and consultancy from this, again let us know. This is intended to help security professionals and project managers get better, and commercialising specialisations of this playbook is a great way to make it useable.