What is the role of the Security CCC?

The role of the Security CCC is to assess the cyber security posture of anything new coming through the TRG. This will include understanding whether or not anyone from the DSC’s S3 (Specialist Security Services) team has been engaged in the drafting of the submission, whether risk assessments have been carried out, and if any measures have been proposed to moderate or control any identified risks.

There are a number of documents that it is helpful to complete in the process of drafting a submission:

  • The SLSP (System Level Security Policy), which includes for example - information relating to the architecture being used, which version, access (internal vs external), security testing, data encryption and disaster recovery.
  • If you plan to use cloud technologies, the Cloud Risk Data Assessment, which will classify your requirement from 1 to 5 (5 being in the most need of protection), based on the type and scale of data being stored, as well as the persistence (long or short-term use). It will then advise the type of controls relevant to each classification.

As an organisation, the strategic direction is to cloud host all solutions where possible. Where your solution is locally hosted, as a result of security or legacy, early engagement with the S3 team at the Data Security Centre is again key as they can walk you through the more bespoke requirements.

What evidence will they be looking for in your submission?

  • Have you engaged directly with anyone in the S3 team for advice when drafting your submission?
  • Have you completed a Cloud Risk Data Assessment?
  • Have you proposed any controls to moderate identified risks, and if not, have you detailed a robust rationale?