security-cop.md

Secure Engineering CoP (Community of Practice)

This is part of a broader quality framework and is one of a set of communities of practice

Subject

Secure Engineering practices, tools & approaches within NHS Digital.

Sponsor

(TBC who)

Goals

For secure development and operation of systems:

• Share knowledge:
  • Provide advice and guidance as requested
  • Facilitate good practice discussions, and curate relevant principles, practices and patterns within the Software Engineering Quality Framework
  • Curate relevant Training Pathways within the Software Engineering Quality Framework
  • Curate relevant section(s) within the Software Engineering Review Tool
  • Provide supplementary learning in relevant areas (e.g. workshops)
  • Discuss, disseminate and feedback on the output of the Cyber Design Authority
• Build knowledge:
  • Organise learning events (e.g. guest speakers)
  • Organise events to practice security (e.g. security jams)
  • Evaluate candidate security tools
  • Form mini-groups to respond to "how do I..." questions from teams - generating examples in the Software Engineering Quality Framework

Goals to be reviewed after 3 months

Scope

Areas of interest are specifically:

• Secure development & operations practices
• Security good practice
• Automated security-testing tools, for example tools to scan for secrets or other sensitive data

Coordinator

• Initially:
  • There will be a faciliator group, comprising of a representative from each of the member NHS Digital directorates (DSC, Product Development, Platforms, Security Architecture)
  • The group will self-organise who faciliates individual sessions & activities
• Once the community is established:
  • This will be a rotating post on a 3-month basis, requiring a commitment of one day per week
  • The coordinator will run a blog to help publicise the activity of the group
  • There will be a deputy coordinator (to cover sessions when the coordinator is away, etc). They will also typically take over as coordinator for the following 3 months. This gives the group continuity.

Members

• This group will span NHS Digital and include representatives from DSC, SSS, and delivery teams
• If possible, this group will also include external (to NHS Digital) subject-matter experts
• Core members should be kept to under 15, to promote interactive sessions
• Should include a mix of backgrounds including members of the Data Security Centre and team members with no Security qualifications
• Should include people from a representative spread of teams / directorates
• Can join as representatives from a specific team, or as "interested parties"

Format

• The group's official home is (TBC - where)
• This includes a Backlog
• Any member can contribute to the backlog. This could be show-and-tells of tools or approaches; queries about how to do something; curation of a principle; talking about an organisation-wide policy; etc.
• The group meet regularly (TBC - how frequently) to refine the backlog, and talk through items
• The group will also organise and facilitate other meetings, such as training workshops, hack-days, etc, which will be open to a much wider audience.
• The group will maintain a discussion channel (TBC - where) open to all of NHS Digital: for advice and guidance, and wider knowledge sharing