change to standard 9 and created change file

DFE-Digital · Dec 19, 2022 · b1a33c4 · b1a33c4
1 parent 46d9d95
commit b1a33c4
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,15 @@
+# Change log
+
+
+
+---
+## 19 December 2022
+
+### Added
+
+
+### Changed
+Changes to standard 9 from a Cyber and Information Security specialist
+
+
+### Fixed
diff --git a/source/service-standard/9-create-a-secure-service.html.md.erb b/source/service-standard/9-create-a-secure-service.html.md.erb
@@ -38,6 +38,8 @@ DfE handles <a href="https://educationgovuk.sharepoint.com/sites/lvewp00158/Site
 
 We have a legal duty to protect personal and sensitive information. Failing to do so would undermine public trust in DfE services. 
 
+DfE service and project teams must understand the importance of protecting the confidentiality, integrity and availability of sensitive information. This includes being aware of risks that reduce the security of the information, and taking action to mitigate.
+
 
 
 ## How to meet this standard in every phase
@@ -72,7 +74,7 @@ Some of the following guidance links go to the DfE intranet. If you do not have
 - a plan for how the findings from checking technical feasibility and security compliance will be addressed in beta
 - how to protect users and the <a href="https://www.gov.uk/service-manual/technology/protecting-your-service-against-fraud" target="_blank">service from fraud (opens in new tab)</a>
 - the use of <a href="https://design-system.service.gov.uk/patterns/cookies-page/" target="_blank">cookies (opens in new tab)</a> in the service
-- how you will manage and own risks through risk registers and Information Security Officers (ISOs)
+- how you will manage and own risks through risk registers and applying information assurance best practice
 
 ### In beta and live
 
@@ -87,6 +89,7 @@ Some of the following guidance links go to the DfE intranet. If you do not have
 - use of <a href="https://dfe-digital.github.io/architecture/common-components/#what-are-common-components" target="_blank">common components</a>, such as <a href="https://dfe-digital.github.io/architecture/common-components/#dfe-sign-in" target="_blank">DfE Sign-in</a> if authentification is required, to secure your service
 - creating an asset register for the service
 - evidence that all risks to security have been addressed, when moving from beta to live
+- evidence that the security controls implemented are compliant with department standards
 - how you will eventually decommission the service. Consider if the service is needed for a specific time, or whether it's needed for longer
  - consider archive or retention policies and access requirements
  - how to support Freedom of Information (FOI) requests or Subject Access Requests (SARs)