{"id":4806,"date":"2023-10-27T07:25:55","date_gmt":"2023-10-27T07:25:55","guid":{"rendered":"https:\/\/blogs.gov.scot\/digital\/?p=4806"},"modified":"2023-11-27T08:02:24","modified_gmt":"2023-11-27T08:02:24","slug":"security-by-design-scotaccount","status":"publish","type":"post","link":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/","title":{"rendered":"Security Principles \u2013 ScotAccount"},"content":{"rendered":"\r\n<p><strong>Laurie Brown, Digital Information Security Officer within Scottish Government, provides strategic information security direction, assurance and governance across a number of Scottish Government digital public services including the work of the digital identity programme.<\/strong><\/p>\r\n<p>In this blog post, Laurie introduces the security principles being applied to <a href=\"https:\/\/blogs.gov.scot\/digital\/2023\/06\/23\/scotaccount-pilot-with-disclosure-scotland\/\">ScotAccount<\/a>, the new digital identity service. <br \/><br \/><strong>Valuable design and the principles of security<\/strong> <br \/><br \/>In Serena Nusing\u2019s <a href=\"https:\/\/blogs.gov.scot\/digital\/2022\/02\/24\/service-design-and-cots-products\/\">excellent blog on service design and Commercial Off-The-Shelf (COTS) products<\/a>, she talks about the most valuable design, where desirability, feasibility and viability intersect.<\/p>\r\n<p>&nbsp;<\/p>\r\n<p><a href=\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-4827 lazyload\" data-src=\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\" alt=\"\" width=\"602\" height=\"351\" data-srcset=\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png 602w, https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6-300x175.png 300w\" data-sizes=\"(max-width: 602px) 100vw, 602px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 602px; --smush-placeholder-aspect-ratio: 602\/351;\" \/><\/a><br \/><br \/>When providing information security direction, assurance and governance, I try to think of security in terms of the most valuable design and I have three principles I apply.<\/p>\r\n<p>These three principles are based on the<a href=\"https:\/\/www.torontomu.ca\/content\/dam\/pbdce\/seven-foundational-principles\/The-7-Foundational-Principles.pdf\"> 7 foundational principles written by Ann Cavoukian<\/a> during her time as Information and Privacy Commissioner for Ontario, Canada, and<a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/data-protection-principles\/a-guide-to-the-data-protection-principles\/\"> the UK General Data Protection Regulation principles<\/a>. These principles have also been aligned to the <a href=\"https:\/\/www.gov.scot\/publications\/digital-scotland-service-standard\/\">Digital Scotland Service Standard<\/a> which aims to make sure that services in Scotland are continually improving and that users are always the focus. <br \/><br \/><strong>Principle 1<\/strong>: Privacy by design and default <br \/><br \/>Data minimisation is the default, and data privacy is embedded into the design and development of the service. <br \/><br \/>The rationale for this principle asks us to consider data protection and privacy issues upfront in everything we do, putting in place appropriate technical and organisational measures to safeguard individual rights. The principle underpins the specification, design, development, operation, and maintenance of the service, including relationships and contracts with third parties throughout the entire lifecycle, covering information collection through to disposal. <br \/><br \/>Additionally, this principle requires that we do not collect personal data, unless and until a specific and compelling purpose is defined: and once defined, that such collection is justified, necessary, proportionate and we have demonstrable accountability. <br \/><br \/><strong>Principle 2<\/strong>: Security by design and default <br \/><br \/>Positive action to anticipate and prevent information security incidents before they happen. <br \/><br \/>The rationale for this principle is characterised, predominately, by proactive, rather than reactive, cyber security measures to protect information from cyber-attack whilst ensuring a portfolio of proactive and preventative cyber resilience capabilities are in place to ward off cyber-attacks or, if the need arises, respond to, and limit the impacts of cyber-attacks. <br \/><br \/><strong>Principle 3<\/strong>: Usability by design and default <br \/><br \/>Provide stakeholder assurance that, where possible, security is verified and transparent to the customer and supports business requirements, keeping the interests of the customer uppermost. <br \/><br \/>The rationale for this principle is to assure all stakeholders that the service is visibly operating according to the stated promises and objectives and is subject to regular independent verification. <br \/><br \/>It means that we are clear, open and honest about how the service is operating according to the stated promises and objectives, about how we are ensuring we meet the principles of an <a href=\"https:\/\/www.gov.scot\/publications\/a-changing-nation-how-scotland-will-thrive-in-a-digital-world\/pages\/an-ethical-digital-nation\/?msclkid=f55f695ed04c11ecb21965d149b92bdc\">ethical digital nation<\/a> and that we maintain a culture of transparency and openness in having a proactive approach to publishing relevant information. <br \/><br \/>And finally, that we keep the needs of our users uppermost, responding to our programme of continuous user feedback by challenging and ensuring our privacy and security approach supports rather than hinders the usability, accessibility and digital inclusion of our service. <br \/><br \/>In my next blog, I will explore in more detail the first principle \u2018Privacy by design and default\u2019, outlining how privacy has been approached so far, and how we are building trust and confidence in the service with service end-users, service customers, the Information Commissioner\u2019s Office, and other key stakeholders.<br \/><br \/><strong>How to contact the team<\/strong> <br \/><br \/>You can subscribe to\u202f<a href=\"https:\/\/mailchi.mp\/c825378db242\/registration\">Scottish Government Digital Scotland newsletter<\/a>\u202ffor regular updates on ScotAccount and other digital projects. <br \/><br \/>If you work for a public service organisation and are interested in finding out more about ScotAccount, or to access our test environment, you can get in touch with the team by emailing:<a href=\"mailto:scotaccount@gov.scot\">\u202fscotaccount@gov.scot<\/a><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>Laurie Brown, Digital Information Security Officer within Scottish Government, provides strategic information security direction, assurance and governance across a number of Scottish Government digital public services including the work of the digital identity programme.<\/p>\n","protected":false},"author":317,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[157,400],"tags":[19,146,394,98,387,94],"class_list":["post-4806","post","type-post","status-publish","format-standard","hentry","category-digital-identity","category-scotaccount","tag-digital","tag-digital-scotland","tag-digital-scotland-service-standard","tag-identity","tag-scotaccount","tag-scotland"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Security Principles \u2013 ScotAccount - Digital<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Principles \u2013 ScotAccount - Digital\" \/>\n<meta property=\"og:description\" content=\"Laurie Brown, Digital Information Security Officer within Scottish Government, provides strategic information security direction, assurance and governance across a number of Scottish Government digital public services including the work of the digital identity programme.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\" \/>\n<meta property=\"og:site_name\" content=\"Digital\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-27T07:25:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-27T08:02:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\" \/>\n<meta name=\"author\" content=\"Stewart Hamilton\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stewart Hamilton\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\"},\"author\":{\"name\":\"Stewart Hamilton\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552\"},\"headline\":\"Security Principles \u2013 ScotAccount\",\"datePublished\":\"2023-10-27T07:25:55+00:00\",\"dateModified\":\"2023-11-27T08:02:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\"},\"wordCount\":639,\"commentCount\":1,\"image\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\",\"keywords\":[\"digital\",\"Digital Scotland\",\"Digital Scotland Service Standard\",\"identity\",\"ScotAccount\",\"scotland\"],\"articleSection\":[\"Digital Identity\",\"ScotAccount\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\",\"url\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\",\"name\":\"Security Principles \u2013 ScotAccount - Digital\",\"isPartOf\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\",\"datePublished\":\"2023-10-27T07:25:55+00:00\",\"dateModified\":\"2023-11-27T08:02:24+00:00\",\"author\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552\"},\"breadcrumb\":{\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage\",\"url\":\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\",\"contentUrl\":\"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png\",\"width\":602,\"height\":351},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blogs.gov.scot\/digital\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security Principles \u2013 ScotAccount\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/#website\",\"url\":\"https:\/\/blogs.gov.scot\/digital\/\",\"name\":\"Digital\",\"description\":\"Updates from the Scottish Government&#039;s Digital Directorate\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blogs.gov.scot\/digital\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552\",\"name\":\"Stewart Hamilton\",\"description\":\"Communications and Engagement Officer\",\"url\":\"https:\/\/blogs.gov.scot\/digital\/author\/stewarthamilton\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security Principles \u2013 ScotAccount - Digital","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/","og_locale":"en_GB","og_type":"article","og_title":"Security Principles \u2013 ScotAccount - Digital","og_description":"Laurie Brown, Digital Information Security Officer within Scottish Government, provides strategic information security direction, assurance and governance across a number of Scottish Government digital public services including the work of the digital identity programme.","og_url":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/","og_site_name":"Digital","article_published_time":"2023-10-27T07:25:55+00:00","article_modified_time":"2023-11-27T08:02:24+00:00","og_image":[{"url":"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png","type":"","width":"","height":""}],"author":"Stewart Hamilton","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Stewart Hamilton","Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#article","isPartOf":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/"},"author":{"name":"Stewart Hamilton","@id":"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552"},"headline":"Security Principles \u2013 ScotAccount","datePublished":"2023-10-27T07:25:55+00:00","dateModified":"2023-11-27T08:02:24+00:00","mainEntityOfPage":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/"},"wordCount":639,"commentCount":1,"image":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage"},"thumbnailUrl":"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png","keywords":["digital","Digital Scotland","Digital Scotland Service Standard","identity","ScotAccount","scotland"],"articleSection":["Digital Identity","ScotAccount"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/","url":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/","name":"Security Principles \u2013 ScotAccount - Digital","isPartOf":{"@id":"https:\/\/blogs.gov.scot\/digital\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage"},"image":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage"},"thumbnailUrl":"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png","datePublished":"2023-10-27T07:25:55+00:00","dateModified":"2023-11-27T08:02:24+00:00","author":{"@id":"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552"},"breadcrumb":{"@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#primaryimage","url":"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png","contentUrl":"https:\/\/blogs.gov.scot\/digital\/wp-content\/uploads\/sites\/5\/2023\/10\/MicrosoftTeams-image-6.png","width":602,"height":351},{"@type":"BreadcrumbList","@id":"https:\/\/blogs.gov.scot\/digital\/2023\/10\/27\/security-by-design-scotaccount\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blogs.gov.scot\/digital\/"},{"@type":"ListItem","position":2,"name":"Security Principles \u2013 ScotAccount"}]},{"@type":"WebSite","@id":"https:\/\/blogs.gov.scot\/digital\/#website","url":"https:\/\/blogs.gov.scot\/digital\/","name":"Digital","description":"Updates from the Scottish Government&#039;s Digital Directorate","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blogs.gov.scot\/digital\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/blogs.gov.scot\/digital\/#\/schema\/person\/fd47935c780321ad6c4ecbb2f10da552","name":"Stewart Hamilton","description":"Communications and Engagement Officer","url":"https:\/\/blogs.gov.scot\/digital\/author\/stewarthamilton\/"}]}},"_links":{"self":[{"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/posts\/4806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/users\/317"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/comments?post=4806"}],"version-history":[{"count":0,"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/posts\/4806\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/media?parent=4806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/categories?post=4806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gov.scot\/digital\/wp-json\/wp\/v2\/tags?post=4806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}