Consider security as a factor in all the decisions you make whilst designing, building and operating the service.
The person making key technology and architecture decisions needs to understand that many of their choices will have security implications. It’s important that the person in this key role has good security input for all their decisions. Some choices will inevitably result in risks being taken on. These will need to be tracked and managed.
During the development of a service there will be points at which it’s logical to take stock of the decisions made, and where risks are being carried, to test whether they are manageable. This process is likely to be most helpful when the system design is changing significantly. Involve someone independent and skilled in security architecture design early on – their feedback can help you build confidence in the security competence of the delivery team.
See our Risk management principles to inform the approach you take to managing risk in your service.
Source: NCSC
