Digital
Security by design and default – ScotAccount
May 16, 2024 by Stewart Hamilton No Comments | Category Digital Identity, Digital Scotland, ScotAccount
Laurie Brown, Digital Information Security Officer, provides strategic information security direction, assurance, and governance across a number of Scottish Government digital public services including the work to introduce ScotAccount.
ScotAccount is the secure and simple way to access public services online.
It makes accessing services easier because you can use one account to sign in to a variety of services. You can also verify your identity, if necessary, and choose to save your verified personal information in your ScotAccount, so you can use it again when applying for other public services.
Our approach towards security
In my original blog, I introduced you to the principles I use to embed security in service design. These are: (1) Privacy by design and default, (2) Security by design and default and (3) Usability by design and default. Following on from my last blog which focused on ‘Privacy by design and default’, I now share more detail on the second of those three principles ‘Security by design and default’.
Security is not just something security professionals are responsible for – everyone has a role to play. The National Cyber Security Centre (NCSC) offers some excellent guidance, and the information available to individuals and families, in particular, is as relevant to how you use ScotAccount as it is to any online service, be that banking, email, shopping or social media.
Security by design and default requires having in place both proactive security measures to protect information from cyber-attack, as well as reactive capabilities to respond to and limit the impact of cyber-attacks. To do this, I use NCSC guidance on risk management and wrap this with robust security governance and assurance.
I created a methodology to support my security by design and default principle several years ago, which ScotAccount robustly follows. This methodology aligns with the recently published UK Government Secure by Design Framework, and ensures effective proactive security measures and reactive capabilities are embedded in the delivery and running of ScotAccount. This helps meet people’s expectations of how they want to interact with government, securely and in a manner which protects their privacy.
Security Governance
For security governance, again NCSC guidance plays an important role for me.
To ensure ScotAccount security governance has the right people, structures, and risk management processes in place, I recruited and empowered a team with the required security expertise to help deliver my security by design and default principle and methodology.
I also set up a security and privacy governance board to provide robust oversight of the security programme. And I implemented an agile way of working across the security, user-centred design, and product teams to delegate and support rapid risk-based decision making and change management.
Security Assurance
For security assurance, the NCSC model provides a great example of my approach. As ScotAccount reaches the latter stages of its Beta phase, the ‘extrinsic assurance’ mechanism as defined in the NCSC model is being given extra focus, through increased efforts around external compliance and certification assessment including the UK Government GovAssure scheme. Independent security assessments have already been completed on ScotAccount’s approaches to authentication quality and verification confidence, with full Medium level compliance in place.
ScotAccount is also examining whether compliance with the UK Government digital identity and attributes trust framework would help support potential future interoperability with the GOV.UK One Login service.
Coming Next
In my next and final blog of this series, I will talk more about ‘Usability by design and default’ where I will explore the user experience we want to deliver and how we are making ScotAccount as widely usable as possible.
How to contact the team
You can subscribe to Scottish Government Digital Scotland newsletter for regular updates on ScotAccount and other digital projects.
If you work for a public service organisation and are interested in finding out more about ScotAccount, or would like to access our test environment, you can get in touch with the team by emailing: scotaccount@gov.scot
Tags: digital, Digital Scotland, identity, ScotAccount
Leave a comment